Richard Pajerski  Software development and consulting

In addition to Domino, CertMatica now includes the ability to install and renew Let's Encrypt certificates for Sametime 11 Proxy servers.  Using the simplicity (and power) of a single .nsf solution, CertMatica can help to centralize administration for LE certificates across both server types and seamlessly manage service restarts.  No extra dependencies needed.

For more information, please visit the CertMatica 3.5.0 product page.

As always, comments and suggestions are welcome!

[Edit August 27, 2020: HCL has updated the documentation to include: "MongoDB needs to remain active during upgrade"]

Quick note on Sametime 11 FP2 which is now available on FlexNet.  [The fixlist is located here and the accompanying upgrade instructions are here.]

The instructions tell you to:

-- Close all applications on the server, including the Domino server administrator and the web browser.
-- Stop all Domino and Sametime services.

You might think this includes stopping the MongoDb service as well but you should actually keep that running, at least before you run the proxy upgrade.  The reason is that the proxy upgrade script tries to connect to the MongoDb service and if it isn't running the upgrade will not succeed and you'll be asked to:

"Please verify/update dbconfig.properties and stproxyconfig.xml manually."

It's not a major issue... you can simply restart the MongoDb service and rerun the upgrade.  However, since the upgrade process makes a backup of the previous Tomcat install, you'll now have a duplicate set of backup files.

Since many development and administrative tasks in Notes/Domino can conveniently be carried out with great front-end tools like Domino Designer or Administrator, it can sometimes be inconvenient when we're required to use the command line or terminal to get things done.  Working with Domino keyrings is a case in point and one of the reasons why I developed Aperture.

Aperture is a lightweight desktop application that allows you to work with those .kyr files without having to resort to the command line.  It works with both the KYRTool and OpenSSL to allow you to visually create keyrings, view their contents, create Certificate Signing Requests and several other tasks you'd normally being doing on the command line.

Please visit the Aperture product page for more details:  https://www.rhpconsult.com/aperture.html.

As always, comments and suggestions are appreciated!

The latest update to CertMatica (CertMatica 3.1.0 - ACME certificate renewals for Domino)
is now available.  This latest release fixes a few bugs on Linux installations but also includes a new feature to auto-restart the Traveler task.  Enjoy!

HCL Sametime 11 has been out for a few months now and brought important technical changes that, when used in conjunction with the Sametime 11 Proxy Server, make it a more compelling offering than previous versions released by IBM.

The most fundamental change is the streamlined installation that removes the DB2 and Websphere dependencies needed for the proxy server. Those components have been replaced by MongoDB and a Tomcat-based proxy server respectively, both of which are indeed simpler to install and configure.  It's been rumored that an .nsf storage option will be offered in the next release and that should further smooth out the installation process.

That being said, getting everything up and running is more difficult than it should be.  One notable problem is the documentation.  The language is at times too informal (even ambiguous), the formatting could use some tidying up (unclear headings/inconsistent fonts for samples, etc.) and a URL for details on setting up SSL/TLS sends you to the wrong version (10) -- apparently, no version 11-specific documentation is available.  More importantly, if this is a fresh Sametime installation (which is the only supported option), what's *left out* of the documentation might lead to broken communication between the proxy and the Sametime server.

After successfully completing the Windows installation, I attempted to log in to the proxy from a browser and was greeted with "Sametime is temporarily unavailable":

The problem wasn't immediately obvious because in the proxy's logs I found entries like "Sametime Proxy server is successfully connected to the Sametime community, ...".  But digging further into the logs, I found "generateTokenFailed reason: 80000000".  So network communication was there but
SSO wasn't working.

PRO TIP: Get more verbose logging on the proxy by uncommenting these two lines in Tomcat's logging.properties file (sametimeproxy\conf directory):
com.ibm.level=FINE
com.ibm.handlers = 2localhost.org.apache.juli.AsyncFileHandler

During the Sametime server installation, the installer creates a Web/SSO document in the Domino Directory called "LtpaToken", sets the Session authentication field to "Multiple Servers (SSO)" (in the Domino server document) and correctly references the Web/SSO document.  However, on this fresh installation, the DNS Domain name field of the Web/SSO document was blank:

That's going to leave you with "HTTP Server: Error loading Web SSO Cookie Name Configuration 'LtpaToken' for Web Site ..." on the Domino server and will prevent Sametime from properly creating an SSO token to send to the proxy server. 

Adding the DNS domain name (in my case, .testlab.com) to the Web/SSO document should fix the login problem for most installations.  But in my Windows installation, there was a further complication that kept producing "Sametime is temporarily unavailable".  It turns out the fully-qualified hostname for the Sametime server was not being passed to the proxy.  From the proxy's logs:

serverFQDN: S1
cluster: CN=S1/O=TestLab
serverURL: 192.168.0.102

The fix for this was to enter the fully-qualified domain name for the Sametime server in the Net Address field of the Domino Server document (Ports > Notes Network Ports tab).  After that, the login worked and the proxy reported:

serverFQDN: s1.testlab.com
cluster: CN=S1/O=TestLab
serverURL: 192.168.0.102

Conclusion
So what's *left out* of the documentation is any reference to the Web/SSO and LtpaToken configuration on the Sametime server.  Whether or not the blank DNS Domain name field is an "out-of-the-box" configuration error, some mention of the Web/SSO details back on the Sametime server would be a helpful addition to the documentation.

How are your Sametime 11 installations coming along?

If you were a Notes/Domino 11 beta participant, the 11.0.1 preview is now available.  Use your existing links to access the downloads from FlexNet and the beta forum.

is right around the corner (August 7, 2019):  https://register.gotowebinar.com/register/5645329603541153035. 

Be they public, private or the newly-minted "Partner-led" clouds, one message HCL is making clear is that the future for the newly-acquired IBM collaboration product portfolio will be all about the cloud.  Richard Jefts (General Manager, HCL Digital Solutions) has just published here on the new approach: Update on HCL Acquisition of IBM Collaboration Portfolio (Edit March 2021: Update on HCL Acquisition of IBM Collaboration Portfolio).

It appears that the biggest impact will be on current SmartCloud Notes users who will now need to transition away from that offering to one of the new HCL cloud models.  In practice, that will probably entail some form of migration back to a traditional, on-premises Domino/Portal solution (or Domino/Portal-hosted partner solution).  Those who currently run on-premises applications and solutions, including Verse, will (likely) not be immediately affected.

It's good to hear mail will continue to be a core area for Domino; however, the "for the foreseeable future" is an interesting qualification that suggests it may not be for long.  The tight integration of email within collaborative Notes/Domino applications won't go away but will loosen up as different messaging providers take over the role of Notes mail clients.  HCL's announcement here is not surprising (or at least not shocking) and I think it strikes the right balance between managing what works well today on-premises and where much new development will be going forward: cloud.

Having developed with Java for a number of years in various environments (Notes/Domino, Tomcat, ActiveMQ,  Android, desktop, etc.), I was initially skeptical when I read this article and watched the video about the recently-improved Eclipse OpenJ9: https://developer.ibm.com/videos/introduction-to-eclipse-openj9-and-adoptopenjdknet/

Yes, Java has incrementally improved over time but the claims here seemed a bit over the top.  To think I might get both noticeably faster startup *and* up to 50% memory reduction just by switching to J9 seemed to be a bit too optimistic.  But after downloading (adoptopenjdk.net) and giving it a spin, I was not disappointed.

Sure enough, out-of-the-box startup time for Netbeans 8.2 on Windows 8.1 increased dramatically against Oracle Java 1.8.0_191 (running quad-core I7 on SSD).  There was no point in taking measurements -- it was up and ready in three seconds!  This didn't seem possible with Netbeans but there it was.  Everything worked the same as before ... only faster.  Then the real shocker: RAM usage went from roughly 650M down to 268!  Huh?  If I can eliminate that much RAM usage for hosted server side deployments, it's going to translate into real cash savings.

On top of the performance upgrade and memory savings, I immediately noticed that Swing is visually better in J9 than OpenJDK [edit: with the HotSpot VM].  In particular, the default font rendering is really nice!  In the past, OpenJDK has generally lagged behind Oracle Java for desktop applications and still does; but to my eyes, J9 is now at visual parity with Oracle (or perhaps better).

I realize that the J9 has been the JVM in Notes/Domino all these years but I've never attempted to benchmark it against other JVMs since IBM never really promoted it as a JDK for Windows.  I'm currently using 9.0.1 FP10 which uses build 8.0.5.21 of J9:

Hopefully, IBM can manage to get the latest J9 into an upcoming fixpack.  I sure have lots of Notes and Domino Java code that could benefit from it.

A big congratulations and thank you to Mark Stoodley and all the other engineers and players behind this release!

[Edit February 2020: the LEND product has been renamed to CertMatica]

Version 2.0 of LEND is now available and comes with domain wildcard certificate support via DNS challenge.

Wildcard certificates are convenient particularly in situations where a single Domino server hosts multiple virtual sites, each of which needs SSL/TLS protection. Managing separate certificates for each Domino SSL site in this situation is feasible but not very practical since each one requires its own IP address.  A wildcard certificate takes care of that issue and fortunately, Let's Encrypt began offering wildcard certificates earlier this year.  However, as of this blog posting, they're only supported with the DNS-01 challenge type.

The DNS challenge feature was interesting to implement because Let's Encrypt DNS challenges do not offer the same level of automation as HTTP challenges.  With the DNS challenge, Let's Encrypt servers will query your hosting provider during the challenge/response phase instead of your HTTP server (which is queried when using the HTTP challenge).  Since there's no industry-standard way to modify DNS records, the challenge must be entered manually at renewal time, typically using your hosting provider's custom web interface. Fortunately, LEND now has built-in workflow to remind administrators when to do so at renewal time!

Among the areas getting attention in the upcoming release of Domino 10 is the data store.  As part of making Domino more bullet-proof, removing the 64GB limit on the NSF size is planned and will be a fantastic improvement.  Naturally, this is going to put more emphasis on overall database scalability.  As Domino gets more scalable, I think it's going to need a feature that many of us have been seeking for some time: multi-document ACID transactions.

Being able to save two or more documents as a single transaction cannot currently be done natively in Domino.  The best we can get is saving all of the fields associated with a single document using NotesDocument.Save: the operation either succeeds or fails.  This is fine for most Notes/Domino applications but there are a number of cases where having a transactional save across multiple documents is desirable.  A simple work order system where multiple, related tasks are attached to a main work order request is an obvious example.  Implementing each task as a separate document is an intuitive approach and can simplify programming of such a system.

MongoDB 4.0 recently introduced multi-document transactions.  And although Domino doesn't directly compete with MongoDB or other NoSQL databases, as it begins to scale, it's nonetheless going to need to act more like them.

What do you think?

By default, the James Mail Server (3.x versions) saves a copy of all outbound messages on the server. While this may be appropriate in certain scenarios, it doesn't seem to be a good default setting for your average POP3/SMTP installation. All of that sent mail accumulates on the server without any apparent mechanism for removing it. Deselecting the "Leave messages on server" setting found in POP3 mail clients does not apply here since outbound mail is sent via SMTP.

To disable this feature, comment out or remove the following block in mailetcontainer.xml (and restart):

<-- Place a copy in the user Sent folder -->
<mailet match="SenderIsLocal" class="ToSenderFolder">
   <folder>Sent</folder>
   <consume>false</consume>
</mailet>

IBM has announced a multi-year investment in Notes Domino with a major new release (Notes 10) coming out in 2018. The investment will include closely-related products such as Notes Traveler, IBM Sametime and IBM Verse.

Specific product details are scant at the moment but it's encouraging to see IBM laying out a long-term roadmap for Notes and Domino and broadcasting a commitment to protecting its clients' investments. Also, the new direction allows IBM partners to hope for commercial stability for these products for the foreseeable future. Overall, I'm optimistic about this announcement.

However, the partnership with HCL Technologies for future development raises some questions. Will HCL Technologies be able to innovate the way that Iris Associates once did? Is this merely a cost-cutting measure or does IBM no longer have the internal talent to take Notes/Domino into the future (or both)?

More here:
https://www.ibm.com/blogs/social-business/2017/10/25/ibm-announces-investment-notes-domino-version-10-beyond/

See "IBM Domino Community Server for Non-Production Environments" here: https://www.ibm.com/developerworks/develop/collaboration/

This is the full Domino server product available at no charge. However, the restrictions are:
1) You have to select the "Utility Server" option (no mail).
2) It may only be used for testing applications in a non-production environment.

The latest feature pack (FP9 as of September 15, 2017) is also available for download.

*** July 2019 Update ***  Domino Community Server version 10.0.1 FP2: https://www.ibm.com/account/reg/us-en/signup?formid=urx-33713