Update - April 17 2017 - IBM has fixed the issue in 9.0.1 FP8 IF1.

In my last post about NIFNSF, Christian Hensler left this comment:

Image:Domino NIFNSF update - you probably don’t want to enable it
I couldn't find anything on the internet, so off I went to the Design Partner forum and sure enough there is a post in there from Michael Bourak. Now this is a NDA'd so I'm maybe skirting the rules here, but there is indeed an IBM reproduced issue with performance with NIFNSF. So this AM I did some testing and I was able to reproduce the issue. Based on my testing, on average, the current NIFNSF implementation is twice as slow as non-NIFNSF databases.

So you many not want to implement it just yet.
Darren Duke   |   March 31 2017 10:33:37 AM   |    domino    |   Comments [7]

Update 2 - April 17 2017 - IBM has fixed the issue in 9.0.1 FP8 IF1.

Update - March 31 2017 -  You may not want to enable this, see this post.

New in Fix Pack Feature Pack 8 is the ability to move the view index files out of the NSF. NIF is the technical term for these index files and end with the file suffix of NDX. Doing this has several advantages including:
  • Make the NSF smaller, so better backup times
  • Help get more out of the 64GB limit....if 6GB of your NSF is NIF index, that's a logt of space
  • Move NIF's to better performing storage, for example SSD's
  • Allows concurrent access to to databases and views, so theoretically better performance

I decided to upgrade my production cluster to FP8 and turn on this new feature that was originally slated for 9.0.2. Here's what I did:
1.        I added a new VMDK for these new files, in my case an i: drive and a folder, so my NIF path is i:\NIF\
2.        Upgraded server to FP8
3.        Made sure CREATE_R9_DATABASES=1 (or CREATE_R85_DATABASES=1) is in the notes.ini file
4.        Added NIFNSFEnable=1 to the notes.ini
5.        Added NIFBasePath=i:\nif\ to the notes.ini
6.        Added CREATE_NIFNSF_DATABASES=1 to the notes.ini (this makes any newly created NSF use the NIF repository so you don't have to constantly worry about enabling it for new databases)
7.        Restarted Domino

Like DAOS before it, this only enabled NIF, it doesn't switch it on for existing databases. So on the server I issued a compact command:

load compact -c -nifnsf on mail\blah.nsf

Off the server goes and here's the output:

Image:Moving Domino NIF indexes out of the NSF

Oooh. Off I go to look at the new NIF drive and sure enough there it is:

Image:Moving Domino NIF indexes out of the NSF

Humm. Not a lot of savings....25MB (about 8% savings, and not a lot of folders). OK, let's try my archive mail file, that's a big-ish one:

Image:Moving Domino NIF indexes out of the NSF

Better. About 11% of the archive were view indexes (archive is 6.5GB logical size...not physical).

So what are we seeing here? Well, I think you'd see much larger savings, 25% or more, if you have a custom application with lots and lots of heavily used views and lots and lots of documents. And if that app is, oh, let's say 40GB then you can shave 10GB+ off that size that is not a bad thing. Mail seems to be between 5-15% for the record. Still that *could* equate to 15% off the time to backup your data, so even that maybe worth doing in your environment.

In some environments it may also be useful doing the Domino Directory, in this case (and for admin4 and log) the server needs to be down.

Further details are in this IBM article.

Darren Duke   |   March 29 2017 12:16:32 PM   |    domino    |   Comments [4]

December 19 2016 Monday

2016 the annus horribilis review

Firefox started at 43, ended at 50 (they are slowing down....)

Chrome started at 47, ended at 55 (they are speeding up....)

IE....you know what? F**k IE.

Still using Chrome as my primary browser, although Vivaldi is slowly taking over

Didn't go Connect 16. Won't be at Connect 17. I already know what's going to happen....IBM is going to tell you about all the products that they promise * cognitive* is being added too. Like Verse (2 years ago?) and Toscana. "No, really we are" they will promise. There is a new GM. Can't possibly be worse than the last one.

Speaking of Toscana, it was released. In only a way IBM can release something. Think Verse Basic with all the features taken out. 

Following on from the "release" of new products, IBM decided not to release (as in ever) 9.0.2. Yeah, I know right.....

But Verse On-Prem should see the light of day on December 30th. Yeah, I know right.....

Oh, Hawthorn was released. So there's that.

Still never seen a live (or otherwise) CCM installation. 

Moved up to an iPhone 7 Plus, fingerprint smudge edition. Or as most people call it the shiny black one.

Oh, oh....new podcast. Stu and I could resist no longer. We also brought along Jesse Gallagher so IBM can blame someone new.

We also sneaked in one last TWIL. No really, 115 is it. (see above)

Any "Big IT" thinking of splitting itself in two should endeavor to be more like HPE/HP and not at all like the train wreck that is the Symantec/Veritas split. Train. Wreck. 

By year end I should have 50+ nights in hotels. Not the rented by the hour type, but *real* hotels. That number went up, but my time in a car is about 90 minutes less per day. Yes, per day. Ah, life in ATL.

Brexit *and* Trump. Luckily my grandparents were Irish, so I see another passport in my future.

After having voters potentially end the world, I decided not to inflict further damage on my psyche and stayed with Windows 7 Pro. Even a free Windows 10 is too much to take.

Completed 10,000+ steps every day since Nov 30, 2015. So over 365 days now....the streak is still active. 15,000,000 total steps on my various Fitbit devices.

Technologies that made 2016, Let's Encrypt, SONOS, Nest, Roku, 4K TV's

Darren Duke   |   December 19 2016 09:30:56 AM   |    misc    |   Comments [0]

A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly).

Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps.

If you manually run the renew.sh on the server without these additional steps this is what you get:

[root@nginx ~]# /root/letsencrypt/scripts/renew.sh
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/darrenduke.net.conf
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darrenduke.net
tls-sni-01 challenge for blog.darrenduke.com
tls-sni-01 challenge for blog.darrenduke.net
tls-sni-01 challenge for www.darrenduke.net
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darrenduke.net.conf produced an unexpected error: Cannot find a VirtualHost matching domain darrenduke.net.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The Let's Encrypt cert has not been renewed!

File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in sys.exit(main()) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 592, in renew renewal.renew_all_lineages(config) File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/renewal.py", line 365, in renew_all_lineages len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s)

Well that's not good....off I went a Goggling. Here's the missing step.....at least for NginX servers.

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d darrenduke.net -d blog.darrenduke.net -d blog.darrenduke.com -d www.darrenduke.net

A few notes, check that the webroot-path is what is listed as the root in the NginX config and add each domain that is part of the SSL certificate with the -d option (I have 4 above).

Once you do this you will see a fair amount of messages on the screen and eventually get to this:

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/darrenduke.net/fullchain.pem. Your cert will
expire on 2017-03-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

Now when I manually try to renew the certificate I don't get any errors:

[root@nginx letsencrypt]# ./letsencrypt-auto renew --nginx
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/darrenduke.net.conf
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/darrenduke.net/fullchain.pem (skipped)
No renewals were attempted.

Another thing worth noting is that I appended --nginx to the crontab job as well. That takes care of restarting NginX for me once the certificate is renewed.

I guess we'll see if this all works at the end of February.
Darren Duke   |   December 9 2016 11:06:31 AM   |    ssl  security    |   Comments [0]

A long time ago, before IBM came down like a hammer, there was a podcast. We really enjoyed doing This Week In Lotus, but it became a bit untenable as IBM threatened all kinds of stuff (including revoking *my* Champion status.....) so we stopped. But IBM kept doing "WTF?" kinds of things.....canceling 9.0.2, going to fix packs only, spreading Java 8 out over a year (from now). After getting together at MWLUG, Stuart and I started to reminisce and we started thinking about saddling up again.

So we did.....

Image:WTF? A new podcast? If you liked This Week In Lotus, you should (at least) like ’WTF Tech’

Except this time there are some notable changes:
  • New name, WTF Tech,
  • There are three hosts now. As noted in the last ever TWIL, Jesse Gallagher joins the team. He's funny so he offsets Stu, and he's knowledgeable so he offsets me.
  • Focus has moved from IBM. I would not say IBM are irrelevant (yet, in fact Episode 001's title comes for IBM), but we've expanded out reach.  No one is safe.
  • There will be no guests. So no more shitty audio from guests who never RTFM and had no headphones.
  • It will not be weekly. We're thinking every two weeks, but some weeks will be barren and others (like this last week) will be a perfect storm.

There will be tips, so don't worry. And snark. No point doing it if there wasn't snark.

So what are you waiting for? Head on over to http://wtftech.fm/ and join the fun, and be sure to follow @wtf_tech on Twitter.

Darren Duke   |   October 31 2016 09:00:00 AM   |    podcast    |   Comments [1]

I had switched the blog to SSL a while back (mainly due to Google threatening that non-SSL website will take a hit in searches). At the time Let's Encrypt (the free, yes free, CA SSL issuer) was just getting started and didn't have roots published to most of the browser root stores. Because of this I went with free certificate available from Start SSL. I'm not disappointed with StartSSL, it's just time to try something else when the StartSSL certificate expired.  In fact if you need anything SSL related I'd suggest you give StartSSL a look, they have lots of options are very reasonable on prices.

Still this blog doesn't need EV or anything like that so Let's Encrypt it is. While this blog runs on a Domino server it is fronted by a CentOS server running nginx. These servers are located at Prominic and a quick support request had the required Linux pre-reqs installed on the nginx server.

From there it took maybe 10 minutes to create and install the SSL.

I could outline the steps here, but really, I just followed this:


And then used this for the crontab stuff:


Darren Duke   |   September 21 2016 11:55:20 AM   |    ssl  security    |   Comments [0]

I had praised, then lamented the new-ish iNotes forms templates that allow you do copy and paste images from the clipboard into IE. Well, with FP7 IBM (so far) seem to have addressed the issue search issue that forced me to disable this again.

It's now back on for my servers. Let's see how long before I lament this again.

It is probably worth pointing out that Ulrich Krause is reporting issues with the "normal" iNotes forms9.nsf shipped in FP7. I have not seen the issue he reported in the forms9s.nsf.

Darren Duke   |   September 14 2016 10:18:37 AM   |    domino  inotes    |   Comments [4]

Update : Check the comments, Shaun has added a link to the actual IBM technote..... you may or may not want 127 as the value, so check that before doing anything.

9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.

So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......

This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start

It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.

It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:


Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:


And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:

Image:9.0.1 FP7 and how to enable the new port encryption settings

Here's a FP6 client, where the server fails back to RC4_128:

Image:9.0.1 FP7 and how to enable the new port encryption settings
Darren Duke   |   September 14 2016 04:37:42 AM   |    domino  notes  security    |   Comments [2]

Stuart, myself and Jesse Gallagher join for the weekly bi-annual podcast for one last time....listen to it here:


There is also an exciting announcement at the end.....
Darren Duke   |   September 6 2016 09:15:54 AM   |    twil  ibm  mwlug  domino    |   Comments [3]

Hawthrorn 2.0, AKA IBM Mail Support for Microsoft Outlook, AKA IMSMO has recently been released. One of the main install differences between GA (2.0) and LA (1.0) code is that GA requires use of IBM DB2 as a state store for the IMSMO Domino server (whereas 1.0 had no such requirement).

Most organizations can count on the fingers of no hands how may DB2 servers they have, so you'd expect IBM to support MS SQL server right? You'd be wrong. You along with me are a moron, and no one's ever asked for that.

Except now I have. And I have a SPR  to prove it. IBM uses SPR's to weigh the decision to add a requested feature to a product, so the more organizations that pile on, the bigger the chance IBM will provide this..

If you want this added to IMSMO then you can call IBM support (or using the website) and request that your organization be added to the SPR by referencing SPR RCGOAD5LHQ (APAR LO90041).
Darren Duke   |   August 29 2016 01:46:34 PM   |    domino  hawthorn    |   Comments [3]