%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
Â
DNUG HCL Domino 11 First Look
1. HCL Domino 11
First Look
Daniel Nashed, Nash!Com
Ulrich Krause, midpoints
November 2019, KÃļln
2. Speaker Introduction Daniel Nashed
ī§ Nash!Com â HCL Business Partner
ī§ Member The Penumbra group - An international consortium of selected
Business Partners pooling their talent and resources
ī§ Focus: Cross-Platform C-API, IBMÂŽ DominoÂŽ Infrastructure,
Administration, Integration, Performance, Security, Troubleshooting and
IBMÂŽ Traveler
ī§ âDNUG Fachgruppenleiterâ Verse/Notes/Domino
ī§ Author Domino on LinuxÂŽ Start Script
ī§ Co-Author Domino Docker Script
3. Speaker Introduction Ulrich Krause
ī§ Lotus Notes and Domino since 1993
ī§ Developer / Administrator
ī§ IBM Champion 2010 â 2019
ī§ HCL Master 2019
ī§ OpenNTF Contributor
ī§ Letâs Encrypt 4 Domino ( LE4D )
ī§ Working with midpoints GmbH
5. âIBMâ â âHCLâ Branding
ī§ âIBMâ is replaced by âHCLâ in most places
ī§ But there are still some âIBMâ strings which stay
ī§ âLotusâ and âDominoâ remains
6. Guidelines followed while replacing IBM to HCL
ī§ Any âIBMâ Strings are Logos which are visible in normal use of the product are replaced
ī§ IBM Strings, Logos and Copyright in any UI like Splash screens
ī§ Error message, Dialog etc which are visible in normal use
ī§ Templates and Database which are shipped as part of Domino 11
ī§ Registry path in Windows platform
7. âIBMâ Strings not replaced
ī§ Any Directories or Path which may cause the customers to have to alter their
applications
ī§ IBM_TECHNICAL_SUPPORT
ī§ IBM_ID_VAULT
ī§ IBM_Credstore
ī§ IBMDomino.sym
ī§ ibmditar.css
ī§ C:Program FilesIBMDominodatadominojsdojo-1.5.4ibm
ī§ Any configuration parameters which has IBM string in notes.ini
ī§ IBM strings coming from IBM proprietary like IBM OS , Server and Compiler
ī§ LDAP Attributes
ī§ Any COM objects with IBM as namespace
8. New Default Installation Directory
ī§ Linux/AIX Example:
ī§ /opt/hcl/domino
ī§ New Nash!Com Start script version doesn't install into Domino binary directory
ī§ New Directory /opt/nashcom/start-script
ī§ Install script will install into new location
ī§ Existing configuration is still used
ī§ Best Practice: Uninstall and cleanup binary directory and install in new path!
9. InstallAnywhere instead of InstallShield Multiplatform (ISMP)
ī§ Flexera InstallAnywhere 2018 used for Domino Server install
ī§ Traveler is already using InstallAnywhere
ī§ Notes Clients still stay with Install Shield (different product than ISMP)
ī§ Some changes in detail
ī§ Graphic User Interface (GUI) mode, available only on Windows
ī§ Console mode, available only on AIX and Linux
ī§ Silent install mode, available on all platforms!
ī§ Makes perfectly sense because Windows customers prefer GUI
Linux/AIX customers are usually more console oriented
10. InstallAnywhere
ī§ Works similar to ISMP but
ī§ Command Line has different parameters
ī§ New response file format
ī§ Response file is UTF-8 formatted â needs a proper editor like Notepad++ or Ultraedit
ī§ Windows â install.exe -r <path><myresponse>.properties
ī§ Linux/AIX â sudo ./install -r <path><myresponse>.properties
ī§ New silent install is used by Domino on Docker
ī§ Works well but some detailed output has changed
ī§ Domino 10 â âDominoserver Installation successful"
ī§ Domino 11 â "install Domino Server Installation Successful"
11. New Javaâĸ Runtime Environment in Notes/Domino 11
ī§ Notes/Domino 10 used the IBM JVM
ī§ Previous Notes/Domino version used IBM JVM build by IBM JVM team based on Oracle sources
ī§ HCL needed to replace the JVM with an Open JVM
ī§ Oracle JVM isn't free any more for commercial use (only Open Java is free)
ī§ See https://www.oracle.com/technetwork/java/javase/overview/oracle-jdk-faqs.html
ī§ Eclipse OpenJ9 that is provided through AdoptOpenJDK
ī§ https://adoptopenjdk.net
ī§ https://openjdk.java.net
12. New Javaâĸ Runtime Environment in Notes/Domino 11
ī§ openjdk version "1.8.0_222"
ī§ OpenJDK Runtime Environment (build 1.8.0_222-b10)
ī§ Eclipse OpenJ9 VM
ī§ Time Zone data base tzdata2019c
ī§ https://www.iana.org/time-zones
ī§ Just In Time (JIT) is still enabled by default
ī§ Can be still disabled via notes.ini JavaEnableJIT=0
13. IBMÂŽ GSKit crypto libs replaced with OpenSSL
ī§ Previous Notes/Domino version used IBMÂŽ GSKit cryptographic libraries
ī§ Replaced with the OpenSSL equivalents â Free & open SSL Lib
ī§ OpenSSL 1.1.1a â Up to date version shipped with Notes/Domino 11
ī§ See details here â https://www.openssl.org
ī§ NotesÂŽ W32 and Mac
ī§ Not FIPS support (Federal Information Processing Standards â required by US government)
ī§ DominoÂŽ W64, LinuxÂŽ 64, AIX64
ī§ With OpenSSL 2.0 FIPS mode (https://wiki.openssl.org/index.php/FIPS_module_2.0)
ī§ Disable FIPS support â notes.ini HCC_FIPS_NON_CERTIFIED=1
ī§
14. Limiting ID vault download disabled for SAML federated
ī§ Previously you had to enable automatic ID download if SAML is used
ī§ The ID Vault security policy setting âAllow automatic ID downloadsâ is ignored for SAML
ī§ The setting is ignored because SAML authentication requires unrestricted download access to ID files
from the vault
ī§ User already used trusted authentication against AD
ī§ This feature is already included in Domino 10.0.1 FP2 â SPR# DKENAJTT67
15. Web authentication against NotesÂŽ ID passwords in the ID vault
ī§ Idea: Instead of having two different passwords which need to sync and need to be
stored in the person doc, just use the ID vault password
ī§ No sync needed between web and Notes.ID password
ī§ Safer place to store passwords
ī§ This only used for users with a Notes.ID
ī§ So there is no âall or nothingâ setting
ī§ Instead you can define what should happen, when no ID in vault is found
ī§ Configured in configuration document
ī§ New challenge: Sync AD Password â Notes.ID password
16. TLS Deprecated (weak) Ciphers
ī§ The following ciphers are listed as weak in
Domino 11
ī§ TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
ī§ TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
ī§ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (xC013)
ī§ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (xC014)
Weak because they still use SHA1
ī§ Also a BSI recommendation!
ī§ Cipher names come back after doc refresh
ī§ You should remove the weak (deprecated) ciphers
17. Directory Sync with Active Directory (AD)
ī§ New implementation for a dedicated sync tool with AD
ī§ Completely new feature in Domino 11
ī§ Thanks to Ulrich Krause (midpoints) who is the most active & best tester for this feature!
18. Directory Sync (DirSync)
ī§ Directory Sync allows you to sync people and group data from an external LDAP
directory into the DominoÂŽ directory
ī§ Currently data from Active Directory can be synced
ī§ Directory Sync makes it easy for your Note users to address mail to and see details about
users in your organization not using NotesÂŽ such as Microsoftâĸ Outlook users registered
in Active Directory
ī§ With this feature, Active Directory users automatically have Person documents in the DominoÂŽ directory
so that NotesÂŽ users can find their addresses and other information
ī§ Without Dirsync, NotesÂŽ users must know the addresses of the Active Directory users before they can
send mail to them, unless Person documents are added for them manually
19. Directory Sync Components
ī§ LDAP directory assistance document created in a directory assistance database that is
enabled for Directory Sync
ī§ Directory Sync Configuration document created in the Directory Sync view of the
DominoÂŽ directory
ī§ A server task, Dirsync, that runs only on the DominoÂŽ administration server, that
connects to the Active Directory server regularly to pull person and group changes into
the DominoÂŽ directory
27. Sync Groups
ī§ If you want to synchronize groups, select the types of groups to synchronize. If you
don't want to synchronize groups, do not select either option.
ī§ Global Security groups, to be able to use Active Directory security groups in NotesÂŽ
access lists.
ī§ Global Distribution groups, to be able to use Active Directory distribution groups in
NotesÂŽ mail addressing.
29. Enable DirSync Configuration
ī§ Select âRun in test modeâ to simulate the actions that Directory Sync would take but
without changing any DominoÂŽ data.
32. Disable DirSync Configuration
ī§ Before you can edit the configuration, you must disable it!
ī§ Select one ore more DirSync configurations and click âDisableâ
ī§ Request action document is being created and processed by DirSync task
35. Rename Registered Person
ī§ âRename Domino
users upon Active
Directory renameâ
option must be enabled
in the Directory Sync
configuration document
36. Domino 11 â Two Tier DAOS
âĸBigfile.xls
âĸHugefile.ppt
âĸPodcast.mp3
âĸBigfile.xls
âĸHugefile.ppt
âĸPodcast.mp3
âĸBigfile.xls
âĸHugefile.ppt
âĸPodcast.mp3
Domino
Domino 8.5
with DAOS
S3 (Simple Storage Service)
âCloudâ or âlocalâ
S3
âBucketâ
ABC.nlo
moved
after n-days
of inactivity
ABC.nlo
Domino 11
DAOS T2
DAOS T1
+ many others
37. DAOS Tier 2 Storage on S3 Storage
ī§ âDomino Attachment Object Service (DAOS) Tier 2 storageâ
ī§ Allows to use S3-compatible storage service to store older attachment objects that haven't been
accessed within a specified number of days
ī§ Reduces the amount of data stored on DominoÂŽ servers that use DAOS because of
ī§ Scalability
ī§ Storage costs
ī§ Backup optimization
ī§ A S3-compatible storage service uses the Amazon Web Services (AWS) Simple Storage
Service (S3) API
38. Amazon S3 Storage
ī§ S3 Amazon is the reference implementation
ī§ Amazon Simple Storage Service
ī§ There is an SDK from Amazon which is also used by Domino
ī§ https://en.wikipedia.org/wiki/Amazon_S3
ī§ Many vendors support âcloud object storageâ
ī§ But it's not just for cloud storage vendors!
ī§ It's a general interface!
ī§ Simple design
ī§ Objects organized in âbucketsâ + Each object is identified by a unique, user-assigned key
39. Other S3 Implementations
ī§ Minio Server
ī§ Provides a S3 server and also a nice command-line client
ī§ Can run as a single binary or inside a Docker container
ī§ References and good start point
ī§ https://docs.min.io/docs/minio-quickstart-guide.html
ī§ https://docs.min.io/docs/minio-client-complete-guide
ī§ Other vendor examples
ī§ IBM Cloud
ī§ NetApp & others
40. DAOS T2 Configuration
ī§ Simple configuration
ī§ Credential Name of user/password
stored in credential store
ī§ S3 Bucket / S3 Endpoint
ī§ Settings for S3 Server
ī§ Push object store if not accessed for
ī§ Standard value 1000 days
ī§ Minimum internal value 7 days
41. S3 storage ID
ī§ Unique identifier for the server that is created the first time server configures itself for
tier 2. This ID becomes part of the name of each S3 object!
ī§ Don't change this ID once it is established!
ī§ You cannot access existing S3 objects if the ID changes!
42. Create S3 Credentials
Create a file with the credentials âdominocred.txtâ
[dominocos]
aws_access_key_id = my-access-key..
aws_secret_access_key = my-secret-key...
Create named encryption key and credential store
ī§ KEYMGMT CREATE NEK credstorenek
ī§ KEYMGMT CREATE CREDSTORE credstorenek
ī§ Credentials are stored encrypted in credential store
ī§ tell daosmgr S3 storecred dominocred.txt
43. S3 MINIO special configuration
ī§ S3 MINIO needs additional parameters
ī§ Some of them are not just for MINIO
ī§ S3_USE_MINIO=1
ī§ Enable MINIO configuration
ī§ COS_SKIP_SSL_VERIFY=1
ī§ Disable SSL certificate checking â certificates are checked against cacert.pem in data directory
ī§ COS_USE_HTTP=1
ī§ User HTTP instead of HTTPS (only recommended for local or test deployments)
44. Restart serer and check startup
ī§ Restart server
ī§ This is needed to restart DAOS for each process
ī§ Make sure server configuration is replicated to the right server ;-)
ī§ Server Commands
ī§ tell daosmgr status
ī§ tell daosmgr objectinfo summary
ī§ tell daosmgr objectinfo all
45. New âtell daosmgr commandsâ
ī§ OBJECTINFO [-O outfile] [-olderThan days] [-prefix prefix] [TIER1|TIER2|ALL|SUMMARY]
ī§ Show information about DAOS Objects
ī§ OBJECTPUSH age Push objects older than age to S3
ī§ Manually push NLOs to T2 â Very useful for testing
ī§ S3 related config commands
ī§ S3 STORECRED Stores an S3 credential in the credential store cred-file-path [OVERWRITE]
ī§ S3 DELETECRED Deletes an S3 credential from the credential store cred-name
ī§ S3 SHOW Shows S3 credentials in the credential store
ī§
46. Tell daosmgr status
...
24.11.2019 08:56:26 DAOS Encryption is currently Disabled
24.11.2019 08:56:26
24.11.2019 08:56:26 DAOS Tier2 is Enabled
24.11.2019 08:56:26
24.11.2019 08:56:26 DAOS Tier2 Server ID = 045731D47D45CF4B3BAC64C260EB84A92822F76A
24.11.2019 08:56:26 DAOS Tier2 Credential name = dominocos
24.11.2019 08:56:26 DAOS Tier2 Bucket = nsh-domino11-daos
24.11.2019 08:56:26 DAOS Tier2 Endpoint = 192.168.100.107:9000
24.11.2019 08:56:26 DAOS Tier2 days since last access before pushing = 1
...
49. S3 Storage Encryption and Backup
ī§ The channel is already HTTPS encrypted
ī§ Even if your DAOS store isn't encrypted, the S3 NLOs are encrypted on the fly!
ī§ Paranoid admins might add another level of encryption on AWS level
ī§ Backup could be performed locally before data is pushed to S3
ī§ But this would need to keep NLOs not to be deleted from backup when moved to S3
ī§ Backup should also be performed on S3 storage!
50. AWS References and Download
ī§ Build with AWS SDK for C++ Version:1.7.85
ī§ https://aws.amazon.com/sdk-for-cpp
ī§ AWS Command Line Tools
ī§ https://aws.amazon.com/cli/
ī§ Short Video
ī§ https://youtu.be/77lMCiiMilo
51. âFlexNet Licensing Serverâ instead of âILMTâ
ī§ HCL is planning to use the FlexNet License services
ī§ FlexNet License Portal
ī§ Provide license information and license keys
ī§ Software Downloads
ī§ License measurement with FlextNet License server instead of ILMT
ī§ The idea is to count floating users in a 30 days usage period
ī§ All users with authenticated access to a none-system database count
ī§ Access types measured
ī§ NRPC access (Notes client, Traveler)
ī§ HTTP (e.g. iNotes, Verse)
ī§ POP3/IMAP
52. Licensing Terminology
ī§ Entitlement
ī§ Licensing model that you've been entitled to. For Domino, your entitled to Counted user model
licensing which is based on a number of users accessing Domino servers.
ī§ There will be a license key for Domino 11
ī§ FlexNet Operations Site (FNO)
ī§ Site used to download software and map licensing entitlements. Referred to as
ī§ License server (device on FNO site)
ī§ A server to which Domino connects to validate licensing entitlements
ī§ Either Cloud License server or Local License Server configuration
53. Cloud License Server (CLS)
ī§ A virtual/logical license server available through the HCL License Portal
ī§ You configure a Logical Device on the FNO website
ī§ FlexNet Server identifier and admin password you specify
ī§ HTTPS connection needed from Domino Servers to FNO License Servers
ī§ Most customers will probably use the CLS
ī§ No FlextNet server setup is needed
54. Local License Server (LLS) â Planned for 11.0.1
ī§ A license server installed on-premises
ī§ Two different modes
ī§ Online connects to FNO website
ī§ Connects over HTTPS to FNO License Servers
ī§ Completely off-line
ī§ Entitlements are manually downloaded and imported to LLS
ī§ Reports are manually downloaded from LLS and uploaded to FNO Website
ī§ Manual process which needs access to the LLS and FNO website!
55. Configure Could License Server (CLS)
ī§ Log into your FlexNet account
ī§ https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/startPage.do
ī§ Create a virtual âlicense deviceâ (CLS)
ī§ Set password for device
ī§ Map Licenses
57. Configure as âCLSâ
ī§ Give it a meaningful name and site name
ī§ Just for reference. Not used
ī§ Select âRuns license server?â
ī§ Select âServer deploymentâ: âCloudâ
63. Connect Domino to CLS
ī§ Domino needs to connect to CLS over HTTPS
ī§ Either directly or via Proxy
ī§ In 11.0.0 without authentication only
REST Request for Flexnet authenticated via âJSON Web Tokenâ (JWT)
ī§ A JSON web token needs to be generated from a public/private key pair
ī§ The public key needs to be registered with the CLS server
ī§ Sounds complicated but is covered by a server command (not part of Beta2)
64. Domino License Configuration
ī§ The JWT needs to be stored in a local file on the server
ī§ License configuration is in a new tab in config document
ī§ All servers can share the same configuration
ī§ But each server currently has it's own configuration and would need to connect to FlexNet on it's own
66. Domino FlexNet License Reporting
ī§ âshow licenseâ Domino Server command
ī§ Shows the currently cached licenses
show license
Begin Domino License Cache dump.
Licensed Entity:
Added to cache time Error Total Hits MQ HashID Last Server Attempt Last Server Refresh Expires
---------------------- ----- ---------- -- ---------------------------------------- ---------------------- ---------------------- ----------------------
daniel nashed/nashcomlab :
23.11.2019 16:57:27 0 1 0 1A8F29B6674EF0F4A86918A046078E93EB892E7A 23.11.2019 16:57:28 23.11.2019 16:57:28 23.12.2019 16:57:28
---------------------- ----- ---------- -- ---------------------------------------- ---------------------- ---------------------- ----------------------
License.Cache.Entries = 1
License.Cache.Hits = 1
License.Cache.Misses = 1
License.Cache.HitRate = 50%
License.Cache.PoolSize = 1048576
License.Cache.PoolUsed = 1024
License Model = Counted User
Last cache enumeration time: 23.11.2019 17:56:35
End Domino License Cache dump.
67. Domino FlexNet License Reporting
ī§ Show used licenses using the FlexNet Admin
ī§ Command-Line needs your FlexNet Server identifier and admin password for the CLS
flexnetlsadmin -server https://hclsoftware.compliance.flexnetoperations.com/api/1.0/instances/DZ2EPP4XGCKT -authorize admin xyz -licenses -verbose
User authentication succeeded.
=======================================================================================
Feature ID Feature Name Feature Version Feature Count Used/Available
=======================================================================================
682125 HDOMINO_User 1.0 4/6
=======================================================================================
Device Information:
-------------------------------------------------------------
Device Name Feature Registered(Used Count)
-------------------------------------------------------------
CAF36C31C586F7561610D449F265CC7396D9622A HDOMINO_User(1)
2DCF1E219F34A8D21966D30544D71E62D94ED994 HDOMINO_User(1)
CBC2706DA6267BAE259F5F93DC76287B4FB3D80A HDOMINO_User(1)
1A8F29B6674EF0F4A86918A046078E93EB892E7A HDOMINO_User(1)
=======================================================================================
Total feature count : 10
Total feature count used : 4
Total uncounted features : 0
=======================================================================================
68. FlexNet License Server Download Packages
ī§ Needed for
ī§ Local License Server
ī§ FlexNet Admin Commands
ī§ Windows or Linux, Local Online or Offline Server â Just download the online version
ī§ Those files are usually used for the Local License Servers
ī§ Extracted directories contain âenterpriseâ directoy, containing âflexnetadminâ command
69. Traveler 11
ī§ Works on Domino 9.0.1, 10.0.1, 11.0
ī§ You should install current fixpacks (9.0.1 FP10 IF5, 10.0.1 FP3)
ī§ Traveler is continuous build with a build-date, which get a âversion tagâ at some point
ī§ The same installer will install different binaries based on your Domino version!
ī§ For example for Domino 11 the GSKIT is removed
ī§ HTTP/2 support for APNS (Apple Push notifications)
ī§ Supports ActiveSync 16
ī§ Draft Folder sync
ī§ Calendar Attachments & more than 24-hour meeting support
ī§
70. Domino Docker
ī§ Domino 9.0.1 FP10 is already supported on Docker
ī§ Documented via IBM technote (not available any more)
ī§ IBM published a first reference implementation on GitHub
ī§ https://github.com/IBM/domino-docker
ī§ Dockerfiles run on Linux and MAC OSX Docker Docker hosts
ī§ Domino-Core Image dockerfiles will contain installation for Domino 10.0.1
ī§ Sample Dockerfiles how to adapt the image for your environment and applications
ī§ Nash!Com Domino Start Script supports Domino on Docker with
automatic installation routine and Docker Entrypoint
71. Virtual Machine vs. Docker Infrastructure
Virtual Machines Docker Containers
72. Docker Container Concept
ī§ Container is
ī§ A layered file system where each layer references
the layer below
ī§ A run-time instance of an image.
ī§ Not containing your persistent (Domino) data
ī§ They are stored on a separate âvolumeâ
ī§ Images
ī§ Are used to create containers
ī§ Layers build on top of each other
ī§ Only the differences are stored in each layer
73. Questions & Answers?
ī§ Questions & Further information
ī§ http://blog.nashcom.de , nsh@nashcom.de
ī§ https://www.eknori.de , ulrich.krause@midpoints.de
ī§ Resources
ī§ HCL site
ī§ https://www.hcltechsw.com/welcome
ī§ Domino Ideas #dominoforever
ī§ https://domino-ideas.hcltechsw.com
ī§ Submit your most wanted features