Updated 3/31/2020 for 11.0.1

A few weeks ago it dawned on me that there doesn't seem to be a useful (at least that I know of) list of the features added to Domino over the last few releases. Then Lisa asked me for this list for a STS customer. While this is not definitive, it is a least a starting point to see what new features were added when, and maybe more importantly, what was added. This is a tad difficult to collate due to IBM's seriously disastrous decision to go the "feature pack" way for a while.

It should also be noted that as of 10 and higher IBM/HCL have reverted back to fix packs being fix packs. So no new features should be getting added outside of a release revision (for example no new features in 10.0 FP1, but there are new features in 10.0.1).

So here goes:

9.0.1 (IBM)

  2. Java 8 on server
  3. Summary 16MB
  4. SAML ADFS 3.0

  1. New mail, contacts and pubnames templates (Some features below require these new templates)
  2. View open speed increase on TX logged NSFs
  3. Mail forwarding restrictions
  4. Inline view indexing
  5. Run mail rules on existing messges
  6. REST API improvements

  1. Java 8 in client and DDE
  2. Eclipse update 4.6.2 (from 3.4.2)

10.0 (IBM)
  1. Touch screen supoort
  2. Custom colors
  3. New mail template
  4. Dynamic indexing for highly changing views
  5. Symmetrical clusters
  6. Document deletion logging
  7. Dead mail automatic processing
  8. New ODS 53, 256GB NSF size support
  9. Node.js support
  10. DQL (Domino Query Language)

10.0.1 (IBM)
  1. AUT - automatic client update tool
  2. Marvel Client Essentials included
  3. SSL cipher improvements
  4. One time mail signatures

11.0 (HCL)
  1. New licensing model
  2. New mail template
  3. OpenSSL Use
  4. InstallAnywehre use
  5. DirectorySync
  6. Use ID Vault password as HTTP password
  7. AdoptOpenJDK 8 with OpenJ9
  8. DAOS 2-tier storage
  9. Nomad for iPad released

11.0.1 (HCL)
  1. Swiftfile integration is standard. Can be disabled
  2. New Directory Sync feature allow multiple AD users to be registered at once
  3. Subject Alternate Name support in TLS certs.
  4. SNI Domino HTTP support. Server Name Indication (disabled by default)
  5. DAOS tier 2 storage
  6. Docker image in UBI format
  7. Java
  8. Save (well export) document to PDF
  9. 128 bit AES local encryption
  10. Updated templates (including mail and pubnames)
  11. Cross Domain support for Traveler to get ID's from ID Vault
Darren Duke   |   February 29 2020 04:46:06 AM   |    domino    |   Comments [2]

Microsoft always seemed to detest that organization and users kept Windows XP and then Windows 7 for a decade or more. Well they've fixed that in Windows 10.

Windows 10 eh? Pretty much everyone hates it. The Windows updates are massive and feature updates can take an eternity to install on even the fastest of fast computers. Those feature updates, officially called  "Semi-Annual Channel" (SAC) and are released in March and September of each year. You know the ones I mean,
they can break a ton of stuff. Now what if I tell you that Microsoft only support a given feature version (like 1703, the March 2017 version) for 18 months. Then your OS goes end of life. And you have to install a feature pack that is more recent to keep getting security upgrades. The exact same feature updates that can break a ton of stuff. How would you like that?

Basically your Windows 10 Pro install has a 18 month planned obsolesce. On hardware that could last 4-5 years. Fantastic idea Microsoft.

Now I know all of this as we sell this stuff. And I honestly thought all the PC's at STS were in Windows 10 Enterprise (more on that later), but a vulnerability scan (the fantastic
OpenVAS Community Edition is what I use) proved it otherwise:

Image:Your Windows 10 Pro installation could be end of life

Sure enough, I go to the reporting PC run
winver and Windows 10 Pro 1703....gah:

Image:Your Windows 10 Pro installation could be end of life

OK, so upgrade it to Windows 10 Pro 1809 and waste two to three hours of my life (this example PC is an i5-7500T with an NVMe and it;'s been going for a hour already). But if I'm an organization with more than a handful of computers or maybe my software is custom or I have Panasonic tough books that require 1607 (yes I know, not xx03 or xx09.....)  or I want to avoid the whole feature-update-breaks-things what can I do?

You need to buy Windows 10 Enterprise. This has few advantages:
  1. These get 30 months of updates if you go with the September (xx09) version of Enterprise. March editions only get 18 months. WTF MS?
  2. There is a special version of Windows 10 Enterprise called "Long Term Support Branch" (LTSB also used to be LTSC for "channel"). This puppy gets you 10 years, YES 10 YEARS of updates. You have to have a volume account to get it though. And because your PC life cycle is somewhat less than 10 years (it is right? Because if not we need long hard chat) you never have to worry about an OS install or feature pack install as long as the PC in use.

LTSC also has some more advantages like no Windows Store and all the crap-ware and no Edge browser. Other things to.

So if you have Enterprise why would anyone ever not go to LTSC? Good question. You cannot do an in-place upgrade from any version of Windows 10, yes, even non-LTSC Enterprise, to LTSC. It has to be a clean install (although you can keep data and files). That's why you may not want to do it. The PC that's upgrading to 1809 now has a fair amount of of software that I don't really want to have to re-install from scratch, so I'm not doing LTSC on that until the OS takes a crap or the SSD dies. What I can though is to update to Windows 10 Pro 1809, then do an in-place upgrade to (non LTSC) Windows 10 Enterprise by changing the activation key. This gets me a whole extra year of being able to ignore the issue again as you can see from the non-LTSC life cycle table:

Image:Your Windows 10 Pro installation could be end of life

For reference here is the LTSC life cycle table:

Image:Your Windows 10 Pro installation could be end of life

The above tables  (and server and 8.1 and other stuff) are available at

As always, if this has piqued your interest in Windows 10 Enterprise
drop Lisa a line.

This is also a good example of why just vulnerability scanning your network and allowing your desktop firewalls to block the scans is a bad idea. If I had done it that way (and not OpenVAS into the OS) I may not have realized that I had a potential highly vulnerable system just hanging about on my network.

Oh, and after 90 minutes of upgrading to 1809, this happens. And Microsoft wonder why pretty much everyone hates Windows 10. Maybe this PC will get LTSC after all.....

Image:Your Windows 10 Pro installation could be end of life
Darren Duke   |   May 11 2019 08:27:42 AM   |    windows    |   Comments [0]

December 18 2018 Tuesday

2018 Snark Review

The annual tradition continues. Sorry about that.

Firefox started at 57 and ended at 64.

Chrome started at 63 and ended at 71.

IE is still 11.

Edge is still claiming to be good and so, so secure.

Speaking of Edge it is so good and so, so secure that Microsoft are apparently switching to Chromium as it's underlying browser engine. One has to assume this switch is not related to goodness nor security, because then Microsoft would have been lying to everyone.

Firefox Quantum is still my browser of choice. Google simply cannot be trusted.

Cut the cable. Dumped DirecTV for DirecTV NOW. Saved a fair bit too. I use Roku 4K's and they do a very good job of upscaling the DirecTV NOW 1080p  picture to 4K. Very good indeed.

My iPhone X can make me into a unicorn. There are several meanings on the internet for "unicorn" and I want to make it clear I mean a literal, real-life (hum...) "unicorn".

There was a Domino 10.

There was not a Domino 9.0.2.

IBM (just) clarified the HCL position. IBM have moved from the "we're not selling anything to HCL" to "we're literally selling everything to HCL". Somewhat surprisingly this seemed to come somewhat as a surprise to both companies.

There was a Domino 10.

My 0.29 bitcoin is not likely to be worth $5M in 2 more years. It's now worth $1,007. Down $4,000 on the year. My pump and dump scheme I that I hoped last years snark review should have caused didn't come to fruition. Either I need more readers or slightly less intelligent readers. Or both.

HCL? Kinda weird right? It's less weird than last year, but weird nonetheless.

I think we need to admit the new podcast is not a podcast anymore and is no longer a going concern. I...........have............so............many............tips.......

The world woke up to the fact that Facebook is not a nice company. This is you occasional reminder that Facebook was originally built to rank college girls attractiveness. So yes, Zuckerberg being an evil genius who cares about nothing and has the psychological makeup of a Trump should come as a complete surprise to aforementioned  world.

If you're into Domino and you signed up for Think 19 (I'm presuming this is a thing still) you may want a refund.

There was a Domino 10.

Domino 10.0.1 was just released. Literally while I was writing this review.

There is going to be a Domino 11. You can tell as there are going to be "Jams" around this. And what happens in a "Jam" always makes it into a the product. An "IdeaJam" if you will.

MWLUG needs to be Philadelphia  Firstly, so I can visit it there on a business trip. Secondly, it may make me learn how to spell Philadelphia.

The winner of the "you keep f#$*ing up" award goes to Microsoft for their impressive lack of QA around Windows 10 updates.  

An honorable mention also goes to Microsoft for the sheer size of Windows 10 and Windows Server 2016 updates and the time they take to install.

Another honorable mention goes to Microsoft for Office 2019. It adds SVG and LaTeX support. Very mid 90's and mid 00's, More Office 97 than 2019.

There is also a TEXTJOIN function in Excel 2019.  Am I to presume this joins text? In Excel? After all these years of Googling how to CONCAT?

IBM sold a boat load of stuff to HCL. Did I say that already?

Software/Hardware that made 2018 Roku 4K, DirecTV Now, Greenshot and LibraESVA.
Darren Duke   |   December 18 2018 07:59:02 AM   |    misc    |   Comments [1]

Well, any file really, but this script is targeted at keeping the configuration files, ssl certificates and modsecurity rules in sync across a cluster of reverse proxy servers. While this script is targeted at Apache (or Nginx) on Ubuntu a few changed lines and it should work on any distro, If any changes are detected from the primary then the backup apache server is restarted.

For this particular example I have two apache reverse proxies running in HA (using pacemaker, et al), and I only every want to edit the configuration files on one server and have them copied to the other. No more forgetting to copy apache configs (which you only ever find out about when one goes down).

As usual, use at your own risk and YMMV unless you are paying me. It's far from perfect, so feel free change as you will.

Here we go:
  1. Never test in production. Just saying.
  2. There are two servers, primary and backup. Primary is the source of the files, backup is the target. So any changes on primary will be reflected on backup at whatever cron frequency you see fit (I use 5 minutes).
  3. I'm using a user called rsyuser. This user is created on both servers and has read and write access to all the files/folders in question at both ends (I created a group and added this new user and root to it).
  4. The rsyuser user also has a SSH key created in order to do this password-less. This SSH key is created on  the backup server using this command on the backup server logged in as rsyuser ssh-keygen -t rsa -b 2048 (make sure just to hit enter, and do not enter a password). Once created, copy both files to the root users ssh folder (/root/.ssh) and make the files you just copied owned by rsyuser and leave the group as root .
  5. The public key of this user is copied to the primary server with this command from the backup
    ssh-copy-id -i /home/rsyuser/.ssh/id_rsa.pub rsyuser@your_primary_server_ip_address
  6. You probably want to make sure you can now copy between the servers by manually running rsync from the backup and get files from the primary before you go any further.....
  7. Change the script to your IP addresses, services, and user and  place the script below in /home/rsyuser/ and make it executable (+x).
# while technically this is for Ubuntu servers,
# you can easily change the paths to match CentOS, RHEL, etc

# Darren Duke

# Provide as-is. No warranty or guarantee is implied nor given

#Change the remoteIP to be your primary server IP address

#Change this to your user that you are using

#for nginx change the line below to 'nginx'


# Add to each array the folders you wish to sync
sourceFilesArray=("/etc/apache2/sites-available/*.conf" "/etc/apache2/sites-enabled/*.conf" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/*" "/etc/apache2/sts_ssl/*")

targetFilesArray=("/etc/apache2/sites-available/" "/etc/apache2/sites-enabled/" "/etc/modsecurity/modsecurity.conf" "/etc/apache2/sts_ssl/2018/" "/etc/apache2/sts_ssl/")



for i in "${sourceFilesArray[@]}"


RSYNC_COMMAND=$(rsync -alizhe ssh $rsyncusername@$remoteIP:$i ${targetFilesArray[count]})

if [ $? -eq 0 ]; then

# Connected, we're doing something right!

       echo $i

if [ -n "${RSYNC_COMMAND}" ]; then

        echo 'in -n, so set restartApache so later it can be restarted'



           echo 'in else, so no changes were made'



# Error....hum!

       exit 1


echo $count



echo "restart $serviceName: " $restartApache
if [ $restartApache -eq 1 ]; then

service $serviceName restart

echo "$serviceName restarted";


As you will notice there are two arrays in the script, one lists the files you want to copy from the primary (handily called sourceFilesArray), the other is this target folder of file that sourceArray{x] will get copied to (also handily called targetFilesArray). One of the really cool things about rsync (the engine behind all of this) is that is will take a wildcard and expand it, real-time as the script is executing. That is why you will see some sourceArray elements having a wildcard (*) in them. This saves you a ton of array elements.

Once you have it working the way you want, simply create a cronjob on the backup server:

*/2     *       *       *       *       /home/rsyuser/rsync_apache.sh
Darren Duke   |   November 20 2018 03:49:08 AM   |    apache  nginx  security  linux    |   Comments [0]

October 15 2018 Monday

Domino 10 adds (nee TDI) IBM SDI 7.2

While downloading Domino 10 the other day I also saw this in the "Domino 10" download list I had searched for:

Image:Domino 10 adds (nee TDI) IBM SDI 7.2

In previous versions of Domino you only had entitlement rights to the now aging Tivoli Directory Integrator 7.1.1. I had asked a while back (maybe 18 months) about access to (the now then renamed to) IBM Security Directory Integrator 7.2 and was told there were no plans. Well now that we have a whole new Domino release someone realized that was a dumb decision and IBM have revved the entitlement to 7.2.

Once you get TDS 7.2 go get the latest fix pack too (as the time of writing FP5) from
IBM Fix Central:

Image:Domino 10 adds (nee TDI) IBM SDI 7.2
Darren Duke   |   October 15 2018 10:18:26 AM   |    domino  tdi  10    |   Comments [0]

September 27 2018 Thursday

iNotes, ADFS and 2FA - the movie

Quite a while back (3 years!!!) I demo'd a completely password-less Notes client. The logical follow on to this is iNotes. But maybe I want more a more secure iNotes, say with 2FA maybe? Well using a product called Duo and ADFS and Domino we are able to do this.

For assistance with this contact
Lisa. Duo is here.
Darren Duke   |   September 27 2018 06:20:49 AM   |    domino  inotes  security  duo  saml  wfl    |   Comments [0]

September 19 2018 Wednesday

Domino logging to Syslog

First off....I know right, a *blog post*! Who knew.......

So you have Domino.

And you have a syslog server where everything except Domino is logged to.

You want Domino to play along with everything else. What can you do?

For starters there is this event handler type in events4.nsf:

Image:Domino logging to Syslog

But in typical IBM fashion the documentation for the above is practically non-existent on how this works . Nor does there seem to be a way to specify a remote syslog server. So I would presume (and dear reader feel free to leave a comment with links, etc if you know them) that this only works with a Domino server running on Linux and AIX. Now with Linux I could syslog locally and then punt my logs to another syslog server. So theoretically this could do what we want on Linux platforms.

But what about Windows I hear you ask? Well here we need to use a combination of things. Specifically this event handler:

Image:Domino logging to Syslog

That puts my Domino server logs into the Windows Event viewer like so:

Image:Domino logging to Syslog

First stage ignition completed! Now to punt this over to a syslog server. For this I use
NXLog Communty Edition installed on the Windows servers and configure this to throw Windows Events out to my syslog server (in my case Nagios Log Server which is free for <500MB/day although I have used GrayLog before as well that has an free version and an Enterprise with is free <5GB/day and also IBM's QRadar with also has a community edition).

With NXLog conifgured to send Windows Event Logs to my syslog server I now have my Domino logs (from Windows Domino servers at least) in an infinitely more usable format (any my security folks maybe happier too. Final stage ignition complete!

So from this (Domino console and log.nsf):

Image:Domino logging to Syslog

To this (Nagios Log Server):

Image:Domino logging to Syslog

And with the use a quick elastic search, all my Domino server logs in one place:

Image:Domino logging to Syslog

So there you have it. Domino logging to a syslog server.
Darren Duke   |   September 19 2018 05:42:29 AM   |    domino    |   Comments [4]

Here's my CollabSphere 2018 presentation from the conference in Ann Arbor, MI. Again, a huge thank you to Richard and Leann Moy for organizing another spectacular conference.

Darren Duke   |   July 26 2018 10:28:18 AM   |    domino  mwlug  collabsphere  presentation  security    |   Comments [1]

June 12 2018 Tuesday

10 Year Blogaversary

I really wasn't keeping track of this, but I've had some issues with the blog lately and went down the archive section and low and behold the first post was on July 2nd 2008. 10 fricken years. An entire decade of ranting and raving and hopefully occasionally useful stuff......That's not to say I've really kept up the pace from the early years (in fact the frequency has plummeted), nor has it been all smelling of roses (more on that later).

So what have the last 1,685 posts taught me? Well, first off I've never moved the blog off of Domino and a true testament to the genius that is Steve Castledine (I do find the occasional bug but I can usually work around that). The UI was changed back in 2013 (thanks to Sedar's work with bootstrap) and the location move to Prominic but it's still the same NSF and same data. I wonder how many different blog platforms Stuart has tried in the last decade? It is behind NginX these days and the blog was SSL'd a while back.  

So what else has happened here since that first posting? Well....
  • 1,685 blog posts.
  • 2 podcasts have been born.
  • 1 podcast has been put to rest.
  • 8 end of year (snark) reviews have been published.
  • At least 13 conference presentations have been given (11 are linked on the blog), but that number is probably closer to 17.
  • There are 13 drafts that never saw the light of day. One or two are pretty scathing.

Now for some interesting product things....

First BlackBerry post - July 8, 2008
Last BlackBerry post - March 9, 2011

First iPhone post - March 9, 2011 (the exact same post as the last BlackBerry one!)

First Quickr post - August 21, 2008
Last Quickr post - August 25, 2017 (almost a year after IBM support ended)

First Symphony post - June 11, 2009
Last Symphony post - June 11, 2009 (only one post, a tad prescient)

First Let's Encrypt post - October 1, 2015

First Veeam post - June 15, 2009

I don't track any other stats any more, like page reads and that kind of stuff (if there is any Google Analytics stuff in here, it's just because I've not gotten around to taking it out...I'm egotistical and a tad narcissistic but not *that* egotistical and narcissistic), but you can tell the popular posts usually by either comments on the blog or off-line messages like email or phone calls. So what was the most active blog posts? There are two and they are both IBM related, and remember when I said above it was not all plain sailing....

The first was a lamenting, somewhat ranty yet absolutely correct post where IBM were all fired up about mail.next and I mentioned that mail.now should take precedence. This culminated in IBM threatening to revoke (my non-existent) IBM Champion status and I believe they also threatened to sue STS and boot us out of the business partner program. Why you may be wondering what caused all this kerfuffle? This sentence, “no one in my organization will tell me the truth because I’m a vindictive asshole, so don’t cross me or I will end your career" in reference to what an IBM executive may think to themselves.

Now, IBMers usually won't call me directly, so they'll go via Lisa. Call they did, and all they seemed to want to know was who possibly could this IBM executive be? I wasn't anyone I actually know personally so if you've ever had a conversation with me, it's not you. I also wasn't any of the names mentioned in the calls Lisa got involved in. Boy was she pissed at me, but I think IBM using threats pissed her off more. Buy her a drink at the next conference you see her at and get the full story.

The second was also IBM Champion related. It is also one of the funniest things I've ever done "form-submission-wise". I filled in an IBM Champion self nomination for myself and actually submitted it. You have to see it to really get it. I still chortle to myself on the odd occasion I go read that modern day classic.  

Honorable mentions also go to the posts about IBM killing 9.0.2 and it's slightly older sibling 9.0.2 Where for art thou?.

What other upsides are there to this decade long journey? Well, I've not written or updated a resume/CV for years. The hiring process for new customers goes something like this:

Step 1 - Customer Google's something. Google kindly returns one of my blog entries.
Step 2 - The customer contacts STS asking if we know this stuff. Lisa searches the blog, sends several articles on the topic to the customer.
Step 3 - Profit.

Seriously, that's pretty much how this works now, and while we'll never really know how much impact the blog has had to STS revenue, I think it's up there. And Lisa never wanted me to start a blog in the first place! True story. Also a true story, the search was broken in the blog (due to a security HTTP header) and that's how I realized it had been 10 years.

Finally there is nothing quite like Googling something and your own blog post has the answer to the question. It's equal parts effing cool and worrying that you used to know this and no longer even remember writing the answer.

Here's to another 10 years......
Darren Duke   |   June 12 2018 05:10:19 AM   |    misc    |   Comments [4]

It's a three day weekend in the States so I'm busy patching servers and installing fix pack and intermediate fixes to Domino servers. I came across an issue that a customer had mentioned to me a few weeks back while on-site that I see all the time but think nothing of. Basically they stop all the IBM Domino services and any backup agents and they still can't install a FP or IF. They called support and were told to boot into safe mode and do the install (wtf support?).

Here's there error (and we've all seen it);

Image:You’re installing a new fix pack or IF on Domino and Windows won’t let you

So how do you fix this without booting into safe mode (again, wtf support?)? Well, provided you've stopped the IBM Domino services (both of them) and any backup agent servers then the lightly culprit is this little bugger, the Windows Management Instrumentation Service:

Image:You’re installing a new fix pack or IF on Domino and Windows won’t let you

Stop this service (it may restart again, so if it does disable it until the upgrade completes, then re-enable and restart it).

You may see this, if you do click OK, it's not going to hurt anything to stop these services while upgrading:

Image:You’re installing a new fix pack or IF on Domino and Windows won’t let you

Once Windows Management Instrumentation is stopped, voila, Domino upgrades successfully:

Image:You’re installing a new fix pack or IF on Domino and Windows won’t let you

No need to boot into safe mode (again, again, wtf support?).

If you did disable the Windows Management Instrumentation service because it restarted, remember to go back and re-enable it and restart it.

Darren Duke   |   May 28 2018 04:38:43 AM   |    domino  upgrade    |   Comments [3]