I had switched the blog to SSL a while back (mainly due to Google threatening that non-SSL website will take a hit in searches). At the time Let's Encrypt (the free, yes free, CA SSL issuer) was just getting started and didn't have roots published to most of the browser root stores. Because of this I went with free certificate available from Start SSL. I'm not disappointed with StartSSL, it's just time to try something else when the StartSSL certificate expired.  In fact if you need anything SSL related I'd suggest you give StartSSL a look, they have lots of options are very reasonable on prices.

Still this blog doesn't need EV or anything like that so Let's Encrypt it is. While this blog runs on a Domino server it is fronted by a CentOS server running nginx. These servers are located at Prominic and a quick support request had the required Linux pre-reqs installed on the nginx server.

From there it took maybe 10 minutes to create and install the SSL.

I could outline the steps here, but really, I just followed this:

http://idroot.net/tutorials/how-to-install-letsencrypt-ssl-with-nginx-on-centos-6/

And then used this for the crontab stuff:

https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/

Darren Duke   |   September 21 2016 11:55:20 AM   |    ssl  security    |   Comments [0]

I had praised, then lamented the new-ish iNotes forms templates that allow you do copy and paste images from the clipboard into IE. Well, with FP7 IBM (so far) seem to have addressed the issue search issue that forced me to disable this again.

It's now back on for my servers. Let's see how long before I lament this again.

It is probably worth pointing out that Ulrich Krause is reporting issues with the "normal" iNotes forms9.nsf shipped in FP7. I have not seen the issue he reported in the forms9s.nsf.






 
Darren Duke   |   September 14 2016 10:18:37 AM   |    domino  inotes    |   Comments [4]

Update : Check the comments, Shaun has added a link to the actual IBM technote..... you may or may not want 127 as the value, so check that before doing anything.

9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.

So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......

This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start


It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.

It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:

PORT_ENC_ADV=127


Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:

LOG_AUTHENTICATION=1
Debug_Console=1


And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:

Image:9.0.1 FP7 and how to enable the new port encryption settings

Here's a FP6 client, where the server fails back to RC4_128:

Image:9.0.1 FP7 and how to enable the new port encryption settings
Darren Duke   |   September 14 2016 04:37:42 AM   |    domino  notes  security    |   Comments [2]

Stuart, myself and Jesse Gallagher join for the weekly bi-annual podcast for one last time....listen to it here:

http://thisweekinlotus.com/115-doing-a-three-way/

There is also an exciting announcement at the end.....
Darren Duke   |   September 6 2016 09:15:54 AM   |    twil  ibm  mwlug  domino    |   Comments [3]

Hawthrorn 2.0, AKA IBM Mail Support for Microsoft Outlook, AKA IMSMO has recently been released. One of the main install differences between GA (2.0) and LA (1.0) code is that GA requires use of IBM DB2 as a state store for the IMSMO Domino server (whereas 1.0 had no such requirement).

Most organizations can count on the fingers of no hands how may DB2 servers they have, so you'd expect IBM to support MS SQL server right? You'd be wrong. You along with me are a moron, and no one's ever asked for that.

Except now I have. And I have a SPR  to prove it. IBM uses SPR's to weigh the decision to add a requested feature to a product, so the more organizations that pile on, the bigger the chance IBM will provide this..

If you want this added to IMSMO then you can call IBM support (or using the website) and request that your organization be added to the SPR by referencing SPR RCGOAD5LHQ (APAR LO90041).
Darren Duke   |   August 29 2016 01:46:34 PM   |    domino  hawthorn    |   Comments [3]

Originally 9.0.2 was scheduled for release in late 2015.

Then February 2016 (this would have been 28 months since 9.0.1 shipped)

Then 2H 2016.

Then 2017.

Now, well,  never (if the scuttlebutt at MWLUG is to be believed, and I do believe it).

It was pushed for many reasons, notably to get Verse out of the door. As I mentioned in this post (9.0.2 where for art thou?) and this one (my customers don't want mail next) I've ranted and raved about this before.

To no avail.

Well, it seems some genius (<---sarcasm alert) at IBM has decided to not release 9.0.2 but to roll some (most?) of those features into the upcoming FP7 (and FP8?) release(s). At least we'll (allegedly) get Java 8 and AES port encryption at some point . I guess there is that.

So why would IBM kill a release that is all but ready to ship? I can only fathom one reasonable answer to this.....to forgo the need to support Notes/Domino for a further 5-7 years. I believe a fix pack is only supported as long as IBM want to support it (unless someone can guide me to an IBM document saying otherwise....a quick Google yielded no real answer to this), which is a whole metric shit ton less than 5-7 years. I also think that IBM is going to change the "fix pack" nomenclature, and this was alluded to in several IBM presentations at MWLUG, mainly, I believe as Domino is required for Verse On-Prem (VOP). Still it does look like this is the end of the line for the Notes client (not really a shock) and any semblance of a Domino app-dev strategy (kind of a shock).

Yet again, IBM is causing itself a decent dose of customer hate and migrations with their lack of communication, messaging and approach. You'd think both they and I would learn from this, alas I keep hoping for better for IBM. More fool me, right?

If I'm wrong about 9.0.2, I'm sure an IBM executive will post here. If I'm correct, no doubt I'll get a threatening phone call or two.
Darren Duke   |   August 24 2016 02:42:42 PM   |    902  domino  notes    |   Comments [14]

The first page of the presentation displays fine, but you can't navigate to any other slide or use any other actions (like the image below):

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....

The fix it is to allow 3rd party cookies from SlideShare.net. You can do this in the Chrome settings page, like this:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....
Then, manage exceptions:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....

Add the following to the hostname pattern:

[*.]slideshare.net


Like this:

Image:Unable to view embedded SlideShare presentations in Chrome? Try this.....


You can now navigate embedded SlideShare presentations.





Darren Duke   |   August 22 2016 04:34:51 PM   |    presentations  chrome    |   Comments [0]

If you unable to view this presentation correctly in Chrome, see this post
Darren Duke   |   August 22 2016 10:21:46 AM   |    mwlug  presentations  domino  security  ssl    |   Comments [7]

I got to thinking about this earlier today...

How can I as a customer/partner/interested party let IBM know of my discontent about the lack of urgency in releasing Domino 9.0.2?


I noddled on this for a few minutes and came up with some ways. A few (along with cons) are listed below:

1) Contact your IBM rep and tell them.
Pros:

Erm....
Cons:

If you can find them, by the time you hang up they will have a new job.

2) Move to another platform.
Pros:

Real Outlook support
Cons:

It'll cost a fortune

3) PMR
Pros:

Fast
Cons:

Well, it's a PMR

I have finally settled on number 3, create a PMR. See, I think they only way IBM will take notice and do something (new regime or otherwise) is to inundate the support channel with this request. It kind of worked for TLS support in Domino (prior even to the Poodle debacle....I have stories about this if you hit me up at MWLUG) so there is some hope with that outlet. Now, there won't be an SPR as IBM will never admit to 9.0.2 not being released is a bug, but still, enough PMR's could at least make some IBM executives uncomfortable in their Game Of Thrones.

So if you have PMR creation capability, I cordially invite you to enter a PMR requesting 9.0.2 be released soon. Here's the link to IBM PMR creation page https://www-947.ibm.com/support/servicerequest/Home.action

Here's mine:

Image:Idea - I’m going to open a PMR asking IBM to release 9.0.2....and you are invited to take part
Darren Duke   |   July 19 2016 01:11:02 PM   |    domino  lotus notes  902    |   Comments [11]

In my last post I made the mistake of thinking IBM had done a bang up job on the copy and paste with images from the clipboard into iNotes using IE11. Well.....about that.....

After enabling the following settings in the server notes.ini file a user is no longer able to use type-ahead search (view search):

iNotes_WA_DefaultFormsFile=iNotes/Forms9s.nsf
iNotes_WA_FormsFiles=iNotes/Forms9s.nsf


Here's the difference, search view in quirks mode works, standard mode does not:....

Quirks mode IE:
Image:Well, so much for IE11 and iNotes standards mode

Standards mode IE:

Image:Well, so much for IE11 and iNotes standards mode

Time to revert back to quirks mode by removing the notes.ini settings....balls.

Time and time again, testing and QA is IBM's downfall. I'm beginning to think that I, together with IBM, will never learn this lesson. In the top screeshot you can even see my PMR about this.....oh, the hellish times we live in.
Darren Duke   |   July 19 2016 07:00:44 AM   |    inotes  domino    |   Comments [1]