Blogs

Blog Tags Help

Enter a tag to filter the current view
more
less
Entries Comments

Lotus Nut

A blog for the Lotus Nut!

All entries tagged with domino

Domino Server Security Tip with Quickr (SnTT)

Chris Whisonant  

One of the Domino Server security settings that I rarely see implemented is the option to "Enforce Server Access Settings". In the link, you can see that Ted describes the feature nicely.

With Quickr, you have the ability to grant access to places for people not listed in your directory. However, I have found that there is a "gotcha" when using this Domino security option if you also have the setting to only allow "Users listed in all trusted directories" checked in the Security tab of the Server document. Since the internal "place users" are not in your Domino Directory, they will not be able to log in.

But there is a way around this. With specific place users, they are created in the ACL as me@domain.com/placename/QP/DominoDomain. So this means that along with the "Users listed in all trusted directories" that you should be able to add */QP/DominoDomain to also be allowed to access the server.

Oh, and you'll also have to make sure that LocalDomainServers (or some other server group) has access to the server as well. :)

7.0.3.1

Chris Whisonant  

Domino 7.0.3 Fix Pack 1 is now available for download.

List of fixes for 7.0.3 Fix Pack 1

Information about Lotus Domino 7.0.3 Fix Pack 1

Download Fix Pack 1 (FP1) for IBM Lotus Domino 7.0.3

Domino 8.0.1: 101 - Mandated ID Encryption Standard (SnTT)

Chris Whisonant  

Continuing my series on Domino 8 Administration features, new with Domino 8.0.1 is the option to mandate the encryption standard for ID files. Full details can be found at the infocenter. With Notes 8.0 and Domino 8.0.1, there is an option to use AES for ID file encryption. Here's how strong AES is:

"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."
Implementation of AES requires a Domino 8.0.1 server. A Security Settings document is used to configure how the ID file's encryption will be enforced on your server. In a new or existing Security Settings document, you will need to go to the Password Management tab and then scroll to the bottom to the ID File Encryption Settings section:


For both the Mandated and Allowed encryption standards fields, you have the following choices (the same choices as when you change your password in Notes 8.0):
  • Compatible with all releases (64 bit RC2)
  • Compatible with release 6 and later (128 bit RC2)
  • Compatible with release 8 and later (128 bit AES)
  • Compatible with release 8 and later (256 bit AES)
First of all, this is great that companies can now mandate this. But the super swank option is the "Key derivation strength (iterations)" field. In layman's terms, the higher you set this value (the default is 5000), the longer a dictionary attack will take against the ID file. It won't be impervious to an attack, but you shouldn't be using passwords that are in dictionaries... From the infocenter:

Key derivation strengthening is a technique used to make it more costly for malicious attackers to guess likely passwords through a brute force dictionary attack. They work by increasing the time it takes to generate a key from a password. The value for this field is the number of times an HMAC algorithm is applied as part of the operation that generates a key from the password. Specifying a larger number for this value increases the duration of each attempt during a dictionary attack. The default setting for this field is 5000, which is acceptable in most environments. Organizations with higher security requirements may wish to specify a higher value.
So, once you have your servers at 8.0.1 and then have clients at 8.0 or higher, you can begin enforcing this. However, you may also phase this in with a tiered approach. For instance, if you have admins and/or developers that may have access to sensitive data, you may wish to get them on the Notes 8.0 + client and apply a special security settings document to their policy.

Lotus Notes Domino 8: Upgrader's Guide

Chris Whisonant  

I received a copy of the book  Lotus Notes Domino 8: Upgrader's Guide just before Lotusphere. It is published by Packt Publishing and was authored by a team of 7 people who work at ISSL (IBM Software Services for Lotus). As the title states, this book is for anyone wanting to upgrade to ND8. As 8.0.1 is coming out this week, many shops will be anxious to upgrade at this time. This book will be very beneficial for you.

There are 10 chapters and an appendix:

  1. A Short History of Notes and Domino
  2. Overview of New Lotus Notes 8 Client Features
  3. Lotus Notes 8 and SOA
  4. Productivity Tools
  5. Lotus Domino 8 Server Features
  6. Deployment Enhancements in Notes/Domino 8
  7. Upgrading to Notes/Domino 8
  8. Coexistence between Notes/Domino Releases
  9. What's New in Notes/Domino 8 Development
  10. Integration with Other Lotus/IBM Products
    Appendix: Third-Party Products

It's always great to brush up on the history of the platform. Looking back where it's been and then going into chapter 2 on the new Notes 8 client is a great way to start a book like this. Chapter 3 describes how to use Composite Applications to integrate with your infrastructure and is followed by a chapter on the Productivity Tools. As an administrator, I really found chapter 5 to be helpful. As readers of my blog will know, there are tons of new features with Domino 8 and this chapter does a good job at covering those. Some methods for performing upgrades are laid out in Chapter 6.

Chapter 7 is also extremely valuable. Not only does it review the technical aspects of the upgrade, but there is a great section on the planning that should be done prior to any upgrades. Many of the practices listed here should be put in place for shops of all sizes. And in the instances where an entire infrastructure cannot be upgraded at once, Chapter 8 provides some information on running multiple versions (for instance, remember that if you go from 6.x to 8 that you'll need to do the rooms and resources upgrades that were necessary with the 7 upgrade!). Chapter 9 covers many of the new features with development - composite apps, DB/2, formula/LotusScript additions, etc... And we see in chapter 10 many tips on installing and integrating with other Lotus products (Sametime, WPS, Quickr, Connections, etc...). Then there is an appendix with some third party products that may be beneficial in your environment not only for upgrading but for other things such as reporting.

I highly recommend this book for those of you who may be looking for a place to find the information you need to press on with an upgrade to Notes and Domino 8!

Fragmentation and Domino

Chris Whisonant  

Over at IdeaJam, someone posted an idea on certifying NTFS defragmentation utilities for Domino. Below is my comment there - I would love to see what some of you think about this. Also, here is an example of what I see time and again when looking at fragmentation on Domino systems:



I don't care what file system you use, if you are using Domino you will have fragmentation. Even the WAFL fs has a defrag utility, even though it may be less susceptible.

The "problem" with Domino databases is that right after you defrag the volume, the file system starts to fragment because you're adding to the databases and that data has to go somewhere. It cannot go into a contiguous block because there may not be block space available due to the defrag tool keeping all files contiguous when defragging. And this isn't necessarily a problem with Domino - it's more of an issue with the file system and how it allocates storage.

To deal with this and achieve good uptime, I had hoped that a copy-style compact would be a poor man's defrag. Initially, it would seem that this would work because a new copy of the database would be created. However, this is not so because Domino doesn't (or can't?) always allocate a contiguous block that will store the entire database. Besides, Domino creates the database and has to start allocating space for the individual documents. Even if Domino could allocate a contiguous block, it would still suffer from fragmentation when new documents are added. (note: I didn't put this at my Idea Jam comment, but I would note that other transactions on the system will likely start to allocate blocks where the copy-style compact would be placing the data, so this is why more fragmentation may occur).

If Domino could get around this and use a contiguous block, I would propose something like "load compact -c +10" so that you get 10% white space in the new copy. Then you could have some white space in which new documents can be created and not cause further fragmentation.

Taking Domino out of the equation, something that may actually be faster than a defrag is to move all of the databases (or at least the largest or most heavily fragmented) off of the disk onto another volume and then run a defrag on the remaining files on that drive. Then just move the data back and the file system should allocate contiguous blocks for the new data while it's creating them one at a time.

Any other thoughts?

Speedgeeking Slides from Lotusphere 2008

Chris Whisonant  

I was honored to be one of the Speedgeeks at Lotusphere 2008. It was a blast!!! I presented "10 Domino 8 Tips in 5 Minutes". There are a ton of new features and enhancements for Administrators in Domino 8. You can now get my slides here.

I've posted some more details on many of these in a Domino: 101 series at my old blog, so be sure to check out that series if you haven't already!