Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity  

By Daniel Nashed | 10/28/24 2:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity This might help you in some network situations and it came up today in the OpenNTF Discord chat. TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data. The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only. Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default. On Windows you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds. A good default value would be 75 seconds like on Linux and MacOS.

Key Rollover vs Certifier rollover  

By Daniel Nashed | 10/28/24 2:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

This is probably a topic many admins never really looked into and you might still run with your very old 630 key size. Key size and certificate key size play an important role in your security and you should be aware of it. Key Rollover Rolling over keys is a quite normal operation. It's a best practice to rotate keys at least when the recommended key strength changed. Rolling over a key is client side initiated but requires an admin action. Certifier Rollover When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID. For your organization certifier this will be the organization certifier itself which signs itself. Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order. You also have to take care of all cross certificates, Vault trust certificates. The process is quite complex and needs planning:

Check the minimum client version for your Notes application  

By Daniel Nashed | 10/25/24 3:12 AM | Development - Notes / Domino | Added by Roberto Boccadoro

Notes provides new functionality in Lotus Script and there also Java classes added to the client. Lotus Script Named documents have been introduced in Notes/Domino 12.0.1. I have just written an application which needs a Java class which is introduced in Notes 12.0.2 as it turned out. So I came up with a simple check I am going to add to all my applications which use more current functionality. You can drop this code into the PostOpen script of any database and switch to the right constant

Domino Container image custom add-on support enhancements  

By Daniel Nashed | 10/14/24 3:19 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

There is a custom add-on functionality Martijn and Roberto just blogged about this week. https://blog.martdj.nl/2024/10/10/building-custom-add-ons-for-your-domino-container-image/ https://www.robertoboccadoro.com/2024/10/10/upgrading-ontime-in-a-container/ This was the missing trigger for me to look into it again. It's a quite new functionality which wasn't fully documented yet. Documentation I have added a new documentation mark down page-->https://opensource.hcltechsw.com/domino-container/concept_custom_addons/

Linux LSOF is causing 100% CPU load inside a container in some configurations  

By Daniel Nashed | 10/2/24 4:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Linux LSOF is causing 100% CPU load inside a container in some configurations https://blog.nashcom.de/nashcomblog.nsf/dx/ https://blog.nashcom.de/nashcomblog.nsf/feed.rss RSS - Daniel Nashed's Blog Daniel Nashed's Blog Daniel Nashed Linux LSOF is causing 100% CPU load inside a container in some configurations Linux Domino Container width=device-width, initial-scale=1.0, minimum-scale=1.0 Daniel Nashed's Blog ../nashcom.css ../dx/imprint.htm Imprint Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ... Search Search Search Search alt Daniel Nashed # Tags Tag: 64Bit ../archive?openview&title=64Bit&type=cat&cat=64Bit 64Bit Tag: ACME ../archive?openview&title=ACME&type=cat&cat=ACME ACME Tag: ACME HTTP-01 ../archive?openview&title=ACME%20HTTP-01&type=cat&cat=ACME%20HTTP-01 ACME HTTP-01 Tag: ADFS ../archive?openview&title=ADFS&type=cat&cat=ADFS ADFS Tag: AdminCentral ../archive?openview&title=AdminCentral&type=cat&cat=AdminCentral AdminCentral Tag: AIX ../archive?openvie

Disabling XPages if not needed reduces open files and HTTP start/stop time  

By Daniel Nashed | 9/30/24 4:30 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

While working on setup automation I often ran into HTTP startup challenges. It can take up to 40-50 seconds until the HTTP task is started. If you look at open files, you notice that each thread has more than 70 files open. This sums up to up quite some files and the HTTP server start/stop time is much slower. In case you don't use XPages there is a simple switch to disable the XPages run-time and only load the standard Java components. notes.ini INotesDisableXPageCMD=1 I first had the impression Java in general would cause overhead on start. But my tests drilled down to XPages/OSGI.

Domino 14.0 FP2 IF1 installer might fail on new machines -- VCRUNTIME140 32bit is missing  

By Daniel Nashed | 9/24/24 1:06 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

I ran into this today when testing and got a customer reporting this one hour later. So it was easy to reply with a root cause and solution. Domino is a 64bit application. Therefore the Windows run-time installed with the Domino release installer is 64bit only. The Fixpack installer has no VC runtime requirements. But it turns out the hotfix installer, which is also used for interim fixes is also a 32bit installer and has VC dependencies.

Domino does not shutdown cleanly when Windows is rebooted or shutdown  

By Daniel Nashed | 9/11/24 6:23 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

When stopping the Domino service manually, the Windows service control manager (SCM) waits sufficient time to shutdown Domino cleanly. But it turns out a Windows shutdown or reboot does not wait sufficient time for service termination. This is critical because it would kill running Domino processes without notice. Even with transaction log enabled, this isn't a desirable situation.

How to find out what is eating my disk space on Linux?  

By Daniel Nashed | 9/11/24 6:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

If you don't know the Linux tool ncdu, this will make your day. The tool by default scans from where you are or any directory you specify. Specially when running on WSL you might want to use excludes. On top there is a delete option, which can be quite helpful when you find large files you don't need. I am using it for years and it did safe my IT life more than once. And it is very fast...

Domino One Touch Setup (OTS) advanced examples and helpers  

By Daniel Nashed | 7/29/24 3:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

OTS is a very powerful and flexible feature of Domino 12+ which has been extended in each dot release since then. I am OTS a lot in the container world. But it also works on Windows. It perfectly fits into the container world. And we added a couple of integration points into the container image. Because I got a couple of questions I wrote up some examples, related information and also an Lotus Script agent to extend the functionality. The agent is intended to be an example how to wrote own integrations and also to leverage and extend the existing agent for own needs.

Pretty-Printing JSON in Notes Client and Domino  

By Daniel Nashed | 7/29/24 3:20 AM | Development - Notes / Domino | Added by Roberto Boccadoro

The Lotus Script class for reading and writing JSON is that easy. There are not many examples and some functionality is missing. JSON can be either condensed without any new lines and indentation. That's great when you use it for back-end processing or REST services. Why is pretty printing important But in some cases you need pretty formatted JSON. Specially when you want to maintain it manually and extend it. For example for Domino OTS JSON files :-) When you use JSON based configuration pretty printed JSON is very helpful. Condensed JSON is also difficult to check into Git. Everything looks modified when it is a single line.

HCL Nomad server 1.0.12 IF1 shipped with same file name than 1.0.12  

By Daniel Nashed | 7/22/24 6:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Nomad 1.0.12 has been replaced with a 1.0.2 IF1 version. MHS has only the new version. The old version can't be downloaded any more. But they left the file names the same. So you can't distinct the files by name once you downloaded them. So you have to delete the old file and re-download it. The same file name with a different content (resulting in a different hash and size), breaks automation. For example it broke the Domino container build automation.

Running Domino Windows container image on Windows 2022  

By Daniel Nashed | 7/8/24 1:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Two years ago I have been looking into Domino in a Windows container already. The main purpose was to understand the technology and if this makes sense to be used in general. IMHO container technology is mainly helpful on Linux. Containers on Linux use core OS level functionality, which is part of the Linux kernel. Only Linux makes sense for production use for me. But a Windows container can be a great test environment for automation testing and other test use cases. I revisited my container build on Windows this weekend and first updated it to Domino 14 and also updated all involved tooling like 7Zip. In addition I looked into how I could leverage a Windows container image for testing.

New Nomad Server features -- ACME HTTP-01 challenge support & HTTP redirects via port 9080  

By Daniel Nashed | 7/8/24 1:42 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

There are two new features in the latest Nomad Server versions, introduced to Nomad Server without big notice. I just got the question from a partner why Nomad Server now binds port 9080 in addition to port 9443 and the internal communication port (only loop back). The port might be used by other applications like the IBM Spectrum Protect (TDP) -- which was the problem in this customer case. It turns out the TDP Java based restore GUI and does not work in combination without changing or disabling the port.

Building applications in a build container  

By Daniel Nashed | 5/13/24 4:32 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Specially when developing for different target versions of an OS or an application a build container can be very helpful. But build containers are also really helpful in larger teams when everyone should use the exact same build environment. The Domino container project supports adding the Notes/Domino C-API SDK to the container image. In case of Domino libnotes.so is required. Therefore compiling requires at least an installed Domino server with the same or newer version than the SDK version. I built a Domino 14.0 FP1 image including C-API 14.0 and tagged it hclcom/domino:build. For this blog post I am using the simple test program in the container projects automation test directory --> https://github.com/HCL-TECH-SOFTWARE/domino-container/tree/main/testing The directory is defined as a volume inside the container /build.

Domino Container Project: software.txt link & new start script version  

By Daniel Nashed | 5/9/24 3:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The container project contains a software.txt file with all the web-kits used to build images. For some technical reasons the file was located in two places. 1. The build.sh script uses software.txt for checking web-kits before the image build starts. 2. The actually image build process uses software.txt to verify the downloaded web-kits before installing them. software.txt and current_version.txt can also be added to a custom software directory (SOFTWARE_DIR) or remote download location (DOWNLOAD_FROM).

HCL SafeLinx 1.4.2 available -- New best friend "Domino CertMgr"  

By Daniel Nashed | 5/2/24 9:21 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

This was a quite high rated AHA idea. So the SafeLinx team and Domino team teamed up to implement it. The flow is integrated into the SafeLinx UI and SafeLinx also allows ACME challenge "passthru". There isn't any change in CertMgr needed. It is implemented in a way that you could implement your own integration flows. If you have a specific integration idea, ping me. I can point you to the right direction.

Updating autoupdate.nsf with the new template (14.0 08.03.2024)  

By Daniel Nashed | 4/17/24 3:56 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The new fit & finish work and the new autcat.nsf integration requires template changes. Please make sure you are getting the template version 14.0 from 08.03.2024 and not the earlier version from 03.11.2023 shipped with Domino 14. When deploying the container image I noticed an issue with the folder permissions where the container image is getting template updates for Fixpacks. The directory /opt/hcl/domino/notes/latest/linux/data1_bck/140FP1/localnotesdata contains updated templates. But the directory can be only accessed by "root" and the container runs with the "notes" user. This is not new to 14.0 FP1. Also 12.0.2 fixpacks had the same permissions, but nobody noticed the missing updates.

Domino AutoUpdate AUT Catalog integration in action  

By Daniel Nashed | 4/17/24 3:54 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

When the new integration is enabled, client web-kits are just pushed to AUT Catalog. The push will also happen for existing web-kits once the document is updated with data containing the Metadata XML. No manual steps needed. The documents and the new view have a button to directly jump into AUT Catalog. The button on top only shows up for software pushed to AUT Catalog. AUT Catalog sometimes has multiple documents for the same web-kit.

Adding TOTP to your own application  

By Daniel Nashed | 4/16/24 5:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The oathtool is the standard tool on Linux. It comes as a command-line tool or a dynamic and static link lib to be used in your own applications. You can statically link the code into your application and generate TOTP codes and also validate them. The homepage contains information about the command line tool "oathtool" and also the lib "liboath". https://www.nongnu.org/oath-toolkit/ Example how to use it on command-line. The example used the base32 encoded secret for "test". oathtool --totp -b ORSXG5AK

Linux - Using Cron to schedule periodic jobs like certificate updates  

By Daniel Nashed | 4/11/24 5:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

In all the years I have never looked into cron. But it is really a very straightforward functionality, which is used by Linux itself. You can either schedule user specific jobs or use /etc/cron.d files or /etc/crontab. There is a certificate update script --> https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/cert_upd_nginx.sh

Howto convert cert formats from and to PEM  

By Daniel Nashed | 4/11/24 5:09 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

CertMgr uses PEM internally for all operations. The PEM format is the most important format. But you might get your files from your admin or a CA in different formats. CertStore can import and export PEM and PKCS12 (PFX, p12). But this might not always work in the way you expect it because of legacy encryption. I just wrote a new howto document providing some background and providing OpenSSL command line options.

Domino meets Grafana & Loki  

By Daniel Nashed | 4/8/24 12:45 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The latest Sametime version offers a graphical statistics dashboard based on Grafana and Prometheus. Domino statistics out of the box don't play well with Grafana. Prometheus needs a pull model and the Domino Stats Package added in Version 10 only supports the push model. Sametime uses the push gateway, but because the Domino statistic names need to be transformed anyway, I wrote a small servertask to provide the stats to be included into the node_exporter, which already is used to provide Linux system statistics. Beside statistics I also looked into Grafana Loki to collect logs and make them available over the Grafana interface. The data is collected by promtail.

SNMP with Domino on Docker  

By Daniel Nashed | 4/1/24 1:59 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Simple Network Management Protocol (SNMP) is a rarely used functionality in Domino, which has been implemented in Domino in the last century. But I got a request from a customer to get SNMP working with Domino in a container to monitor the server. On Kubernetes there are other ways to monitor servers. But for a stand-alone Docker host, SNMP could still make sense and can be implemented.

Important: Domino ID Vault -- Don’t remove old servers if still referenced in user documents  

By Daniel Nashed | 3/28/24 4:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

When you migrate to new servers, you have to be aware of the following limitation, which is documented in 12.0.2/14.0 but also affects older servers. To ensure you can recover all user.IDs make sure the server document is still present and the server is still in the ID vault configuration. See the following warning in help and Kbase document. This is a recent update in documentation and I just sent it to a customer during a server upgrade/move workshop.

Introducing Domino Borg Backup Integration V2  

By Daniel Nashed | 3/19/24 2:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Borg Backup is an interesting backup option for Linux (https://www.borgbackup.org/) and also works inside a Domino container with a local or remote repository. The first integration with Domino Backup used bash scripts and Borg commands. But this had limitations due to the way Borg handles backups. Each database was stored in a separate repository. I have been looking for direct integration to avoid this overhead and store all backup data into a single backup. There is a newer option to import tar data directly into Borg as a stream -> https://borgbackup.readthedocs.io/en/stable/usage/tar.html.

High Domino Backup performance with native ZFS storage on Proxmox  

By Daniel Nashed | 3/19/24 2:32 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Domino 12+ default native backup is a very easy to use option, which also works on Docker containers. The resulting backup to a file target is always consistent, because delta information is always applied to the backup file. But a file target raises the challenge that the whole NSF data will be copied to the target file-share or disk. Therefore a de-duplicating target is highly recommended. I took a look into ZFS in detail in my new local setup to test out performance.

Looking into S3 performance numbers for MinIO -- Is this the right target for backup?  

By Daniel Nashed | 3/19/24 2:31 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

I know MinIO for a while and I have been using it for DAOS T2 testing early on. Years later they are now grow up and play in the cloud native storage league. Still the devil is in the detail and for using it in production environment customers hopefully use the enterprise subscription to get tuning support. Paying for support this doesn't make it a cheap storage any more if you look at their price tag.

First look at openSUSE Leap 15.6 Beta with Domino 14  

By Daniel Nashed | 3/19/24 2:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

As some of you know from earlier discussions, the latest currently available SUSE Enterprise and openSUSE Leap 15.5 ships with a too old glibc to work out of the box with Domino 14. You could still run it on a Docker(or Podman) host, because the container image brings the glibc run-time with it and only uses the kernel from the Docker host. openSUSE Leap and SUSE Enterprise (SLES) share the repositories and are technically more or less the same. SUSE Linux 15.6 is scheduled for mid 2024 I have been looking into openSUSE Leap earlier with their Alpha version. Now the official beta is available for download As expected Domino 14 works natively with the updated glibc. The requirement is glibc 2.34+. This Linux version will introduce glibc 2.38. But SUSE also switched again to a new major kernel version with a Service Pack. This means HCL will have to re-rest SUSE Linux once the final version is released. It will take some time to have fully tested and support SUSE supported for Domino 14.0.

Important: For Domino SMTP with ECDSA keys for STARTTLS inbound  

By Daniel Nashed | 3/19/24 2:23 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The short version of you don't want to know all the technical details: If you choose a ECDSA key for your web server, make sure you have also a RSA key for SMTP inbound connections In case you are interested in the technical details, read on ...