Trigger Happy and power of community

At some project we are working right now, we run to something that looked like show stopper, no real technical help from developer, no log messages and files… and I remembered that it might be possible to answer to requirements with Trigger Happy opensource project now maintained by Ulrich Krause.

Quick test in one old setup and look to latest version were disappointment, it was not possible to monitor ACL changes.

I made feature request, 2 days ago, and in less than 24 hours, Ulrich published new version, with new feature 🙂

Quick debug later + new release today  and Trigger Happy now can monitor ACL of one or all Domino applications on server!

th

Once again, Lotus/Notes/Domino/ICS/YellowBleeding  community proved how great it is  💛

P.S: we somehow made initial project to work, but now everybody has great solution for IBM Domino database Content, Design and ACL monitoring 🙂

Advertisements

Misty morning and accidental find – Domino+AD SSO in Chrome

Just run to something that didn’t know…. Good old Kerberos SSO for Domino http/web works with Google Chrome

Old IBM documentation is mentioning only Internet Explorer and Mozilla Firefox, but , Chrome for some time now can login with NTLM/Kerberos, but in the beginning using it required some command line parameters (or check out this).

Thing that looks new is that those command line parameter are not needed anymore. Properly set Internet Explorer (Internet Options – Windows) is enough for SSO to work. To quote site I already linked:

Note: The latest version of Chrome uses existing Internet Explorer settings. Older version of Chrome require additional configurations (see below).

I made test with Chrome v63 and v64. Looks good 🙂

Let’s Encrypt 4 Domino and one tip :)

Since August of 2017, great guys from midpoints GmbH provide simple solution to (automatically) get valid and modern SSL/TLS certificates from Let’s Encrypt project to your Domino server…

Fill in request form on their site, get your copy of Domino Application, read First Steps PDF that you’ll get with template and live happily ever after 😎

Tip 1:

In latest setup, I run to one issue, that is often met by LE users (regardless which web server do they use) is that web server has to be reachable from Internet to TCP port 80. It’s not so unusual to have this port cut on firewall and you might have to work with your network team to solve this.

This issue is not so obvious in server logs, you’ll get error message like this one:

HTTP JVM: org.shredzone.acme4j.exception.AcmeException: Failed to pass the challenge for domain mail.domain.tld, ... Giving up.

acme4j error (library that is used internally in LE4D) can be traced to docs and/or code.

Domino JVM8 and MS SQL

Since Domino 9.0.1FP8, JVM8 is engine that runs Domino and you should know few things about it regardless if you develop or administer Domino apps.

First of all, change is big, but compatibility for previous code is there, as expected and most of things should work without changes. For all our applications (dozens of them), upgrade was simple and straight forward as it is for almost 30 years 😎

One of few thing that was “issue” is (as expected) list of security improvements that affect integration. “Issue” is in quotes, since technology progress and security improvements are basic components of IT.

If you use JDBC to communicate with MS SQL, and everything was working fine with JVM6, that could easily be just happy circumstance that both SQL and JVM are using log ago insecure protocols… If you don’t have option to fix MS SQL side of integration (that should be real solution), it is possible to configure JVM to use security options that are not default…

Java settings are in java.security file (<Domino Program Dir>/jvm/lib/security/java.security) and issue that hit few times was need to enable legacy protocols, like described in Microsoft’s Option-3

Take some time, review java.security, you’ll need it sooner or later 😎

P.S: Check out this stackoverflow question for example of this issue and some more details.

KYWS – Know your web server ;)

Domino HTTP is probably your default front to customers, it’s good to know what are you doing with it 🙂

Just a short reminder, we have few commands you can tell to http:

tell

And, if you want to really, really restart task use restart task http. Only this option will restart process on OS level, break outgoing TCP connections, release all memory, etc.

If you just want to reconfigure web server (eg. you added new Site document, Rule, Headers) – you are fine with tell http refresh, it’s faster, and it keeps users online.

Most of time, most of admins are just using tell http restart, but also, most of time, it’s not best option and/or solution.

FP9, interesting stuff

First of all, just to point out again, FP is Feature Pack, not Fix Pack, a lot of new things and stuff is inside.

Right new, we are preparing to roll update ASAP, to get JVM8 in production to get ourselves ready for FP10 and update on IBM Designer side.

This is stuff we run into so far:

  • SMTP issue is a bit specific, but that is stuff that you don’t want to get to debug… As always, thanks goes to Daniel for pointing this to community, also, get IF1
  • JVM upgrade (form 6 to 8) leads to change/upgrade of JDBC drivers, eg. MS SQL ; upgrade this also
  • JVM change changed java.policy, …/lib/ext/*, etc… but we already know that, but this time java.security change is big change (as JVM 6 to 8 is), and for example, you might find yourself with JVM dropping connections to some old MS SQL server… something like this:
    com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "SQL Server did not return a response. The connection has been closed.".
    18.09.2017 11:24:35 Agent error: ??? 18, 2017 11:24:34 AM com.microsoft.sqlserver.jdbc.TDSChannel enableSSL
    INFO: java.security path: C:\IBM\Lotus\Domino\jvm\lib\security
    Security providers: [IBMJSSE2 version 1.8, IBMJCE version 1.8, IBMJGSSProvider version 8.0, IBMCertPath version 1.8, IBMSASL version 1.8, IBMXMLCRYPTO version 8.0, IBMXMLEnc version 8.0, IBMSPNEGO version 8.0, SUN version 1.8]
    SSLContext provider info: IBM JSSE provider2 (implements IbmX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.

    Check out jdk.tls.disabledAlgorithms parameter, and enable algorithms you still need, or, thing that might sound to unorthodox, upgrade your SQL servers 🙂

 

EDIT:

Thing that should be double checked after every update, java.policy

Some related links:

http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0044333FDB4446F7852580E800476FC1