Darren Duke May 15 2013 12:24:29 PM
Well, first you probably want to know why IBM added the IBM HTTP Server (IHS) to Domino.....basically to allow Domino to do TLS over HTTP (which native Domino HTTP cannot do....it can do TLS over SMTP but not HTTP), but I think it was also a roundabout "fix" some SSL scaling issues that Domino can have.
So how do I get it?
Well, it's built into the 9.0 installer for Windows Domino servers (other OSes, you are out of luck....complain via a PMR) but you only see it when you do a custom Domino install:
Once you select that you now get a new option on the next screen:
Check that new option and IBM HTTP Server will be installed on the same server as Domino. You can use this for Traveler too, just make sure you install Domino 9.0 IF1 if you are as there is a bug on the gold code.
Once you have it installed there are still some tasks to do with the server's notes.ini file as outlined in the 9.0 admin help
and it is worth nothing when you add the following to the notes.ini file
the Domino HTTP now listens on port 9288 for loopback connections from IHS and that Domino will only accept connections that originate from the same computer.
Darren Duke May 9 2013 10:25:57 AM
This post came out of an email where an IBMer threatened to audit an STS customer because they didn't renew. The customer got a better deal switching to a different license type (thanks to STS) which ended up being a new-net purchase and not a renewal, hence the IBMer was none too pleased. Lisa convinced me not to make this ass-hat IBMer famous in this post. But what I will do is outline what you need to know as a customer who uses sub-capacity licensing within your organization.
When you accept your IBM software agreement (you know, that thing you never read and click "OK" on to get the software) there are several stipulations in that agreement that you should be doing as you have now agreed to them (you clicked "OK").
The backbone of this is that you agree to install and keep the results of the "IBM Licensing and Metric Tool" (ILMT). This tool basically tries to estimate your compliance to the PVUs you use to the PVUs you have purchased (I have a spreadsheet that does this way better, but that is a different story).
I will distill the requirements for ILMT into what I believe is fairly close to letter of the license. I am not a lawyer, nor did I stay at a Holiday Inn so do not take this as a guarantee of accuracy. This is IBM's license, so IBM would probably win in an argument (and they almost certainty have more lawyers than you do).
All of this information is based off the Sub-capacity licesnsing FAQ
on the IBM site.
The rules basically follow:
1. All PVU licensed software installed on a "supported" sub-capacity platform is applicable to ILMT monitoring unless you are exempted (I have listed the exemptions below)
2. No information is sent to IBM, but you are required to retain 24 months of historic ILMT data (presumably for IBM audit purposes)
3. If you are required to use ILMT then you must install ILMT within 90 days of accepting your first PPA agreement that would fall within the need for ILMT
4. There is no separate sub-capacity agreement any more, as it was combined into the standard agreement in 2011
So, pretty bullet proof right? Well there are some exemptions:
1. Any per user software is not applicable, that would include CEO and most Express Domino licenses (but Domino Utility Express *is* as this is PVU based)
2. If the ILMT is not yet supported on your chosen sub-capacity platform
3. Customers with less than 1,000 worldwide employees, excluding service providers
4. Customers with total physical capacity of their servers with sub-capacity licensing within their worldwide enterprise is less than 1,000 PVUs
5. You have purchased PVUs for the full physical capacity of the server running a sub-capacity license
OK, so there you have it. Unless you can check off one of the above boxes for all your sub-capacity licenses then you are required to use and record ILMT results.
Also note, that even if you are exempt from tracking ILMT results, it does not absolve you from the need to be in compliance
Here is the actual text from the link above describing the exemptions:
Darren Duke May 6 2013 01:28:04 PM
Luckily there is also another presenter so don't let the fact that I'm presenting keep you away :)
Here's the abstracts and the registration details for the IBM hosted event from 11:30AM to 1:30PM on May 16th :
We have two presenters for our May meeting.
Brad Balassaitis of the PSC Group will present,
Presenting Data Effectively with XPages
A critical feature of any application is the organization and display of the data. In the Lotus Notes client, data views generally all look the same, but when designing an application for the web, users expect more and XPages delivers!
In this session, we will review many options for displaying data. We will cover core controls (including the View Panel and Repeat Control), Extension Library Controls (including the Data View and Dojo Data Grid), and even a third party option. After taking a look at each control’s features and drawbacks, you’ll be armed to make the best decisions for displaying data in your applications.
Brad Balassaitis has been developing Notes and Domino applications for 17 years, focusing on XPages for the past 3 years. He is a Senior Consultant on the Collaboration Team at PSC Group (psclistens.com), developing custom XPages applications to meet clients' needs. He blogs about XPages at xcellerant.net and has recently been published in The View and on NotesIn9.
Darren Duke of Simplified Technology Solutions (STS) will present,
“I have a Traveler server; maybe I should secure it some”.
An iPhone or iPad was given to you, "Make this work with Lotus", you were told. And so your Traveler server was born, much like BES before it, with nary a thought for "production use".
Traveler is a virulent technology, users flinging iPhones, iPads and Android devices at you at an alarming rate. There is no one-to-one relation for devices to users here… some folks have 4 or more devices attached to your Traveler server. You look like a rock star! "About time" you say to yourself.
But is it secure? Am I letting my users send free text passwords OTA (even with HTTPS there are more secure options)? Do you even know the security options available to you? Come learn what you can do to secure these slippery endpoints, these public facing servers and keep looking like a rock star……
Darren, technical guru at STS, the once vocal "bad cop" on "This Week In Lotus" podcast, Lotusphere and Connect speaker, sporadic blogger, ranting tweeter, and all round snarky guy will endeavor to both entertain and educate you in this neglected but very important area.
--Lunch will be provided by IBM! –
--Due to IBM security you need to reply if you are planning to attend the meeting. --
Please reply to firstname.lastname@example.org no later than early morning, Tuesday, May 14, 2013.
Darren Duke May 1 2013 12:02:39 PM
After the last clustering post,
Stop users accidentally connecting to passive Domino cluster servers I've had several people ask when I would use SERVER_RESTRICTED
as I'd indicated I would not use that to keep users off my clusters.
Well, let's look at this scenario where you are running an active-passive cluster (that is one server handles all user requests-the active; the other handles fail over when the active is down-the passive):
1. Your active server goes boom for whatever reason, hardware, crash, virus, asteroid hit..... Users fail over to passive.
2. You replace, repair or otherwise get active back online and the server is up and accepting user requests.
3. To get users off the passive and back to the active
I would add SERVER_RESTRICTED=1
(or 2, 3 or 4 see below)
to the passive server notes.ini. This will redirect all new open database requests to the rejected and forced back to the active. Users with active requests continue as usual on passive.
4. I would let the happen for a few hours or days then drop all users off passive after hours.
5. I would then remove SERVER_RESTRICTED
from the passive notes.ini and let SERVER_AVAILABILITY_THRESHOLD on the passive protect is from users drifting back to it. All users should now be back on active.
You can also use this technique to force users off an active and onto a passive for maintenance reasons by applying basically the same theory.
This is not to say this is the only use for SERVER_RESTRICTED
, but it is what I use it for. Note that there are multiple options for SERVER_RESTRICTED (1-4) and these are documented in IBM Technote 1089278
and what you choose will depend upon your outage reason.
Darren Duke April 22 2013 05:21:25 PM
While technically this *should* work with any TAPI provider I got it to work with an Avaya IP Office 500 which I see at a ton of SMB's. I like them too, nice pieces of kit.
Anyway, thanks to Ulrich Krause's post on SearchDomino
with code that can hook into TAPI I finally got around to trying to tie my Contact DB with the IP Phone. Here is how I did it....
- This is is on Windows 7 x64
- This can be done for any Notes app.....knock your self out, just change Ulrich's code to look at the field you want
- Using the vendor provided TAPI driver, in this case Avaya that came with 4.2.46 user software from the Avaya web site
1) Install TAPI from the vendor of your phone system. Reboot.
2) Once installed go to Control Panel/Phone and Modem, Advanced and hit "Add":
3) Select your vendors TAPI provider here and click Add. With the new provider in the list select it and click Configure:
4) Enter your IP Office server IP address and your user name or extension and password (if set):
5) Reboot. Yes, lots of reboots.
6) After the reboot use the Windows Phone dialer (dialer.exe) and go to Tools/Connect Using.... and pick the TAPI you just added, in my case it is called IP Office Phone (if you don't see it here in the list, go back to step 2, remove the provider and immediately re-add it, this worked for me):
7) Make sure that the dialing properties are set correctly by entering Tools/Dialing Properties. I had to play with Area Code Rules to get my dialing out correctly, specifically Include the are code and to dial a "9" for an outside line:
8) With that done, you should be able to make a call out via the dialer app:
9) With that done you have set up TAPI and can now move on to Notes......copy Ulrich's code from the link above, create an Agent in your Contacts DB and paste the code in (I called mine "Dial Number"). The website above seems to have truncated the code so make sure you have it right.....DDE complains but for me ensuring all the IF's and the Declare were on the same line as in this screen shot fixed the errors:
10) With the agent created open your contact DB and from a view or the document, click Actions/Dial Number:
11) The Dialer.exe app will fire up and the number in the OfficePhoneNumber field will be called. Provided you correctly configured dialing properties it should dial out and put your phone into speaker phone mode:
Pretty simple when you know how, but nowhere on the web could I find all the instructions in one place.
Again, I all did was screen shot the crap out of this, Ulrich's code is the part that makes it "easy".
Darren Duke April 18 2013 06:06:00 PM
Not sure when this happened, but IBM has now tiered the PVU requirements, which also affects Domino. This affects Intel CPUs (AMD are still all 50 PVUs per core)
Basically this tiered approach requires you to have a higher number of PVUs per core the more sockets you have in a single server. It's basically this:
<= 2 sockets : 70 PVUs per core (this is also any 5xxx series Xeon)
3 & 4 sockets : 100 PVUs per core
> 4 sockets : 120 PVUs per core
So just when you thought there was no way on earth you could hate the evil that is PVU, well....you were misguided. This seems to be a high end server tax, but maybe I'm just jaded (look at the link below.....jadeAction....erm....) and see this as a way to wring dollars out of audits.....or not. It's worth pointing out that some of these servers could have the same model of CPU, but the more sockets you add to a single server, the more you add to the higher the PVU "tax". More than eyebrow raising.
Anyway all the details are here:
Darren Duke April 15 2013 08:17:45 AM
In clusters I prefer to split my users between them, but if you don't do that (or can't, because as you have a Domino cluster server at a remote DR site for fail over only) then you can do the following to stop users accidentally connecting to the dormant/passive cluster member:
to the dormant/passive server notes.ini file.
Once you add that you should eventually see the server availability switch to this:
Some things to understand here....
1. Users will no longer "float" by accident onto the passive server
2. Admins can still access the server
3. If the non-passive server is down (crash, power outage, asteroid hit) then the Notes clients will fail over to the passive server regardless of the setting
4. You can prevent users from accessing passive servers by other means (I'm thinking of the server setting SERVER_RESTRICTED here, but know what you are doing when using this.
It is *not* the same as SERVER_AVAILABILITY_THRESHOLD)
As usual this post came about because I was asked about this functionality twice in the last few weeks.....
Darren Duke April 10 2013 12:10:07 PM
I just sat in on the excellent "Securing Domino Web Server" open-mic hosted by IBM. Go watch the replay when it is available, easily worth 60 minutes of your life. This showed how to "harden" a Domino web server and they think handled all the points well, with one exception (and I don't think is the fault of the presenters, but more a serious Domino issue). The user side of the equation. The people with the shitty passwords like "1234" and "password".
It is no secret the users and their organizations wish to rid themselves of the Notes ID. Hell, even IBM are developing everything these days on Websphere. For some organizations this means utilizing Domino as web server, as Traveler server or as an LDAP repository for authentication to WAS based or other applications. These all have a common thread, they use the Internet Password from a Domino Person Document. So my final question on the open-mic revolves around an organization that either does not use Notes ID files (let's say for iNotes, Quickr or Connections access) or a customer using Notes Shared Login (new in 8.0 or 8.5 I don't recall). These two types of organizations have two things in common......
Their users never change the Notes ID password. Ever. Never. Never, never, never.
So, if I don't have nor have ever changed my Notes ID password how can I force them to change their HTTP passwords (yes, I can do this via a policy if
they change their Notes ID password, but this is not that scenario). The same HTTP password that is used to access Traveler, iNotes, Quickr, Connections, basically everything ICS makes these days? Bottom line, you can't.
This is a pretty serious issue that I have brought up several times now only to be told you can do it by policies (with an ID file and
not using NSL, yes you can, otherwise you cannot) or use certificates (how does that work well unless I only ever use one PC all the time?). So here is the policy setting document screen shot:
This seems to indicate that you need a Notes ID. Swing and a miss for just forcing an Internet Password
change and that, in my opinion is a really bad design flaw in Domino. I just can't, in any practicable manner, force an Internet password change policy and/or an Internet password complexity policy without tying it back to an actual ID file that forces a user to enter a password.
Why not? This is not 1994 folks. Or am I missing something? And this exists already? I'm looking forward to eating crow on this post. So what am I missing?
Darren Duke April 8 2013 04:20:26 PM
Basically this will hopefully prevent hackers, ne'er-do-wellers and/or relatives from resetting your passwords.
Apple instructions are available at https://support.apple.com/kb/HT5570
Google instructions are available at http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
There are also others available, like DropBox, AWS, etc and Life Hacker
lists some others.....
While we are on about security, I use KeePass Password Safe
, the free and open source password manager to create and store passwords. It will create a password like this:
(no, this is not one of mine.....I created it from a blank KeePass entry)
I then sync this via DropBox (the KeyPass datastore is encrypted, mine is AES 256) to my other computers and devices. Great stuff it is to.
Darren Duke March 25 2013 06:02:21 PM
As you would expect the icons have changed:
But you now also get a monthly view in the calendar, along with a handy "Create new event...." at the bottom:
Here's hoping we see "pull down to refresh" and "hold to create event in time-slot" soon as well......