dachnug51 - Whats new in domino 14 .pdf
DNUGOffice
69 views
90 slides
Jul 02, 2024
Slide 1 of 90
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
About This Presentation
dachnug51 | Whats new in domino 14+ | Daniel Nashed
Slide Content
Domino 14.0+
DACHNUG, June 2024
Daniel Nashed --https://blog.nashcom.de
DACHNUG, June 2024
Daniel Nashed --https://blog.nashcom.de
3.
. .
.
•Initiated for #DACHNUG49
−https://dnug.de/dnug-lab/
•Stable, permanentlab environment covering the latest Domino, Traveler, Nomad, ST, .. features
•Can be used by all members for
−Checking out new functionality
−Collaborate on projects
•Reference implementation for Domino on different platforms
−Windows, Linux, Docker, Podman
−Veeam Backup & Replication with Domino Backup
−Kubernetes environment K3s
−Domino 14.0 FP1 is run in DNUG Lab –Screen shots are based on the lab environment
. .
.
•Initiated for #DACHNUG49
−https://dnug.de/dnug-lab/
•Stable, permanentlab environment covering the latest Domino, Traveler, Nomad, ST, .. features
•Can be used by all members for
−Checking out new functionality
−Collaborate on projects
•Reference implementation for Domino on different platforms
−Windows, Linux, Docker, Podman
−Veeam Backup & Replication with Domino Backup
−Kubernetes environment K3s
−Domino 14.0 FP1 is run in DNUG Lab –Screen shots are based on the lab environment
Domino Infrastructure
& Installation
Windows & Linux
& Installation
Windows & Linux
5.
. .
.
Domino 14 Compiler versions/platforms
•Why new compilers
−New compiler generally generate “better” code
▫Better optimization, code checking, etc.
−Newer C/C++ language standard support
−Compilers also have their support lifetime
−On Linux compilers are part Linux framework (glibc, etc)
•Windows
−Visual Studio 2022
•Linux
−GNU C Compiler shipped with RedhatEnterprise/RHEL 9.1
▫gcc(GCC) 11.4.x, glibc2.34
. .
.
Domino 14 Compiler versions/platforms
•Why new compilers
−New compiler generally generate “better” code
▫Better optimization, code checking, etc.
−Newer C/C++ language standard support
−Compilers also have their support lifetime
−On Linux compilers are part Linux framework (glibc, etc)
•Windows
−Visual Studio 2022
•Linux
−GNU C Compiler shipped with RedhatEnterprise/RHEL 9.1
▫gcc(GCC) 11.4.x, glibc2.34
6.
. .
.
Domino 14 on Windows
•Supported on Windows 2019 and 2022
−Older server versions are out of Microsoft support –you should update to Windows 2022 Server
−Windows 10/11are unsupported desktop operating systems
▫Still OK for local testing specially with Microsoft Sandbox
−There is a new warning you have to confirm for unsupported OS versions
−Tip:For silent installs use ABORT_INSTALL_WITH_UNSUPPORTED_SYSTEM_WARNING=NO
•Windows use the universal runtime
−Existing applications should continue to run
. .
.
Domino 14 on Windows
•Supported on Windows 2019 and 2022
−Older server versions are out of Microsoft support –you should update to Windows 2022 Server
−Windows 10/11are unsupported desktop operating systems
▫Still OK for local testing specially with Microsoft Sandbox
−There is a new warning you have to confirm for unsupported OS versions
−Tip:For silent installs use ABORT_INSTALL_WITH_UNSUPPORTED_SYSTEM_WARNING=NO
•Windows use the universal runtime
−Existing applications should continue to run
7.
. .
.
Domino 14 on Windows
•Major Security change –Run as unpreviledgeduser instead of admin
−On UNIX the server was always running with a “notes” user instead of the root user!
−Instead of Local System Accountby default “NT AUTHORITY\LocalService” is proposed
−Switch back to the System Accountby changing back the service still supported but not recommended
−Data directory permissionsand service settingsare automatically updated
−Take care:Additional directories (translog, DAOS, NIFNSF & FT) are notautomatically updated!
. .
.
Domino 14 on Windows
•Major Security change –Run as unpreviledgeduser instead of admin
−On UNIX the server was always running with a “notes” user instead of the root user!
−Instead of Local System Accountby default “NT AUTHORITY\LocalService” is proposed
−Switch back to the System Accountby changing back the service still supported but not recommended
−Data directory permissionsand service settingsare automatically updated
−Take care:Additional directories (translog, DAOS, NIFNSF & FT) are notautomatically updated!
8.
. .
.
Domino 14 on Windows
•Running with a none admin user needs file system permissions to fit
−Only data directory is updated automatically
−Translog, DAOS, FT,NIFNSFmight be on separate disks and need update
▫Your server will crash at startup without translogpermissions!
−Either use the file explorer to change the settings or use command line
•Example icaclscommands
−icacls"e:\translog" /grant *S-1-5-19:(OI)(CI)(F)
−icacls"e:\translog" /setowner*S-1-5-19 /t /c /q
−icacls"e:\translog" /remove:gEveryone /t /c /q
•Tip: Run an interactive session to check permissions
−psexec-i-u "ntauthority\localservice" cmd.exe(SysinternalsTool)
*) S-1-5-19is the internal representation of the Local Service Account
. .
.
Domino 14 on Windows
•Running with a none admin user needs file system permissions to fit
−Only data directory is updated automatically
−Translog, DAOS, FT,NIFNSFmight be on separate disks and need update
▫Your server will crash at startup without translogpermissions!
−Either use the file explorer to change the settings or use command line
•Example icaclscommands
−icacls"e:\translog" /grant *S-1-5-19:(OI)(CI)(F)
−icacls"e:\translog" /setowner*S-1-5-19 /t /c /q
−icacls"e:\translog" /remove:gEveryone /t /c /q
•Tip: Run an interactive session to check permissions
−psexec-i-u "ntauthority\localservice" cmd.exe(SysinternalsTool)
*) S-1-5-19is the internal representation of the Local Service Account
9.
. .
.
Domino 14 on Windows
•Notes.ini is now alwayslocated in data directory
−On UNIX and partitioned servers notes.ini was always in data directory already
▫Aligns configurations and separates data and binaries
•Notes.ini is a datafile which needs write permissions
−Program directory should be always read-only
▫Windows Program Directory has special permission settings and does not allow none admins to write
•Notes.iniis automatically movedto data directory by installer
−Installer also modifies registry settings for service automatically
. .
.
Domino 14 on Windows
•Notes.ini is now alwayslocated in data directory
−On UNIX and partitioned servers notes.ini was always in data directory already
▫Aligns configurations and separates data and binaries
•Notes.ini is a datafile which needs write permissions
−Program directory should be always read-only
▫Windows Program Directory has special permission settings and does not allow none admins to write
•Notes.iniis automatically movedto data directory by installer
−Installer also modifies registry settings for service automatically
10.
. .
.
Domino 14 on Windows
•Take Action
•New Notes.ini location
−Check allinvocations and add-on applications if they are working with newnotes.inilocation
•System account vs Local Service Account
−Ensure all applicationscan handle running on a different user than the System Account
▫Special candidates: Domino Backup software like ComVault
•Take care the SSH directory is located here (important for Veeam Domino Backup integration)
−C:\Windows\ServiceProfiles\LocalService\.ssh
•Tip: For silent installs specify the user via
−IA_USERNAME= NT AUTHORITY \\LocalService(or LocalSystemfor system account)
. .
.
Domino 14 on Windows
•Take Action
•New Notes.ini location
−Check allinvocations and add-on applications if they are working with newnotes.inilocation
•System account vs Local Service Account
−Ensure all applicationscan handle running on a different user than the System Account
▫Special candidates: Domino Backup software like ComVault
•Take care the SSH directory is located here (important for Veeam Domino Backup integration)
−C:\Windows\ServiceProfiles\LocalService\.ssh
•Tip: For silent installs specify the user via
−IA_USERNAME= NT AUTHORITY \\LocalService(or LocalSystemfor system account)
11.
. .
.
Domino 14 on Linux
•Domino 14.0 System Requirements
−https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108740
•Minimum requirements
−kernel-5.14 x86_64 or higher 5.14 kernel
−glibc-2.34-28 x86_64 or higher
−libstdc++-11.2.1 x86_64 or higher
•Those limits are checked during installation
−glibcand libstdc++ cannot be checked on Ubuntu and Debian based systems
▫Workaround: export INSTALL_NO_CHECK=1 before starting the installer
•Latest major version of Linux long term release distributions support those requirements
. .
.
Domino 14 on Linux
•Domino 14.0 System Requirements
−https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108740
•Minimum requirements
−kernel-5.14 x86_64 or higher 5.14 kernel
−glibc-2.34-28 x86_64 or higher
−libstdc++-11.2.1 x86_64 or higher
•Those limits are checked during installation
−glibcand libstdc++ cannot be checked on Ubuntu and Debian based systems
▫Workaround: export INSTALL_NO_CHECK=1 before starting the installer
•Latest major version of Linux long term release distributions support those requirements
12.
. .
.
Domino 14 on Linux
•Domino 14.0 is built on RedhatEnterprise 9.1
−Sets the minimum kernel, glibcand libstdc++
•glibcis the GNU C standard library
−https://www.gnu.org/software/libc/
−C runtime is part of each Linux distribution
−Latest version 2.38, 2023-07-31
−Domino now requires 2.34, 2021-08-01
−Linux versions with older glibcwill notwork
▫But latest Linux major version of enterprise Linux
versions ship with 2.34or higher mostly
. .
.
Domino 14 on Linux
•Domino 14.0 is built on RedhatEnterprise 9.1
−Sets the minimum kernel, glibcand libstdc++
•glibcis the GNU C standard library
−https://www.gnu.org/software/libc/
−C runtime is part of each Linux distribution
−Latest version 2.38, 2023-07-31
−Domino now requires 2.34, 2021-08-01
−Linux versions with older glibcwill notwork
▫But latest Linux major version of enterprise Linux
versions ship with 2.34or higher mostly
13.
. .
.
Domino 14 Linux Distributions
•RedhatEnterprise 9.1
−Fully HCL tested, certified and supported distribution
•All long term support distributions meeting system
requirements are supportedbut not testedby HCL
−But you can’t expect HCL support can help you with Linux
distribution specific questions like installation
•New HCL GitHub repository listing community tested
versions and other useful information about installation
−https://opensource.hcltechsw.com/domino-linux/
•Recommended free distributions
−CentOS Stream 9, Rocky Linux 9, AlmaLinux9, ..
−Ubuntu 22.04 LTS
−VMware Photon OS 5
. .
.
Domino 14 Linux Distributions
•RedhatEnterprise 9.1
−Fully HCL tested, certified and supported distribution
•All long term support distributions meeting system
requirements are supportedbut not testedby HCL
−But you can’t expect HCL support can help you with Linux
distribution specific questions like installation
•New HCL GitHub repository listing community tested
versions and other useful information about installation
−https://opensource.hcltechsw.com/domino-linux/
•Recommended free distributions
−CentOS Stream 9, Rocky Linux 9, AlmaLinux9, ..
−Ubuntu 22.04 LTS
−VMware Photon OS 5
14.
. .
.
Domino 14.0 on SUSE Linux
•Latest versions of SUSE Enterprise and Leap 15.6 just shipped in June
−Older versions have a too old glibc2.31version
−New version ships with glibc2.38
−Kernel version is 6.4which has not been tested by HCL yet
•SUSE Tumbleweed
−Is a rolling release (similar to what Fedora is on the Redhatside)
−Rolling releasesare not recommendedfor Domino
−A rolling release Domino could break any time
−You are absolutely on your own
. .
.
Domino 14.0 on SUSE Linux
•Latest versions of SUSE Enterprise and Leap 15.6 just shipped in June
−Older versions have a too old glibc2.31version
−New version ships with glibc2.38
−Kernel version is 6.4which has not been tested by HCL yet
•SUSE Tumbleweed
−Is a rolling release (similar to what Fedora is on the Redhatside)
−Rolling releasesare not recommendedfor Domino
−A rolling release Domino could break any time
−You are absolutely on your own
15.
. .
.
Notes/Domino Java Update to 17.0.8.1
•The JVM has been updated from Java 8 to Java 17
−Major update, which also required Eclipse to update to a matching version
−Retest all your Java based applications before updating to Domino 14.0!
−Personally I would have expected more partners and customers to
participate in the early access program for such an important release.
java –version
openjdkversion "17.0.8.1" 2023 -08-24
IBM SemeruRuntime Open Edition 17.0.8.1 (build 17.0.8.1+1)
Eclipse OpenJ9 VM 17.0.8.1 (build openj9 -0.40.0, JRE 17 Windows 10 amd64 -64-Bit Compressed References
20230824_503 (JIT enabled, AOT enabled)
OpenJ9 -d12d10c9e
OMR -e80bff83b
JCL -8ecf238a124 based on jdk -17.0.8.1+1)
. .
.
Notes/Domino Java Update to 17.0.8.1
•The JVM has been updated from Java 8 to Java 17
−Major update, which also required Eclipse to update to a matching version
−Retest all your Java based applications before updating to Domino 14.0!
−Personally I would have expected more partners and customers to
participate in the early access program for such an important release.
java –version
openjdkversion "17.0.8.1" 2023 -08-24
IBM SemeruRuntime Open Edition 17.0.8.1 (build 17.0.8.1+1)
Eclipse OpenJ9 VM 17.0.8.1 (build openj9 -0.40.0, JRE 17 Windows 10 amd64 -64-Bit Compressed References
20230824_503 (JIT enabled, AOT enabled)
OpenJ9 -d12d10c9e
OMR -e80bff83b
JCL -8ecf238a124 based on jdk -17.0.8.1+1)
16.
. .
.
Domino 12.0.2 Status of Standard Software
•OpenSSL 3.0.5
−New major OpenSSL version
−Modular design helps with FIPS 140-2support
▫https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
−Starting with Notes/Domino 12.0.2 OpenSSL is linked into core with no separate .dll/.so files!
•LibCurl7.83.0
−Important package for HTTP/HTTP client operations, leveraging OpenSSL
−Linked into core Notes/Domino since 10.x
−Used in Lotus Script HTTP Request Class and back-end for other features (CertMgr, OIDC, AutoUpdate, ..)
•Apache Tika 2.4.1
−Used for attachment filtering when full text indexing attachments
−tika-server.jar →Java process accessed via REST API over 127.0.0.1 –Also using libcurl…
. .
.
Domino 12.0.2 Status of Standard Software
•OpenSSL 3.0.5
−New major OpenSSL version
−Modular design helps with FIPS 140-2support
▫https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
−Starting with Notes/Domino 12.0.2 OpenSSL is linked into core with no separate .dll/.so files!
•LibCurl7.83.0
−Important package for HTTP/HTTP client operations, leveraging OpenSSL
−Linked into core Notes/Domino since 10.x
−Used in Lotus Script HTTP Request Class and back-end for other features (CertMgr, OIDC, AutoUpdate, ..)
•Apache Tika 2.4.1
−Used for attachment filtering when full text indexing attachments
−tika-server.jar →Java process accessed via REST API over 127.0.0.1 –Also using libcurl…
17.
. .
.
Domino 14.0 updates Standard Software
•OpenSSL 3.1.2
−New minor OpenSSL version (August 2023)
−https://www.openssl.org/
•LibCurl8.2.1
−New major version, almost latest
−https://curl.se/libcurl/
•Apache Tika 2.4.1 stays the same
−(Latest version would be 2.9.1)
−https://tika.apache.org/
•Packages in Domino 14.0 are again newer than in most Linux distributions!
. .
.
Domino 14.0 updates Standard Software
•OpenSSL 3.1.2
−New minor OpenSSL version (August 2023)
−https://www.openssl.org/
•LibCurl8.2.1
−New major version, almost latest
−https://curl.se/libcurl/
•Apache Tika 2.4.1 stays the same
−(Latest version would be 2.9.1)
−https://tika.apache.org/
•Packages in Domino 14.0 are again newer than in most Linux distributions!
18.
. .
.
Domino 14.0 Additional Components
•Some components are not
enabled by default
−Verse 3.1(default)
−Nomad 1.0.9(optional)
−OnTime1.11.1(optional)
•Select
−Domino Custom Enterprise Server
to find additional options …
. .
.
Domino 14.0 Additional Components
•Some components are not
enabled by default
−Verse 3.1(default)
−Nomad 1.0.9(optional)
−OnTime1.11.1(optional)
•Select
−Domino Custom Enterprise Server
to find additional options …
19.
. .
.
Domino 14.0 Additional Components
•Options need to be selected
manually
−Ensure you have the right license type…
•Can be also enabled in silent install
−CHOSEN_FEATURE_LIST =
Domino,Nomad,Verse,OnTime,Help
−CHOSEN_INSTALL_FEATURE_LIST =
Domino,Nomad,Verse,OnTime,Help
•Tip: Record a response file via -r
−Or check the one that ships with Domino
. .
.
Domino 14.0 Additional Components
•Options need to be selected
manually
−Ensure you have the right license type…
•Can be also enabled in silent install
−CHOSEN_FEATURE_LIST =
Domino,Nomad,Verse,OnTime,Help
−CHOSEN_INSTALL_FEATURE_LIST =
Domino,Nomad,Verse,OnTime,Help
•Tip: Record a response file via -r
−Or check the one that ships with Domino
20.
. .
.
Domino 14 Backup
•Backup of notes.ini
−Written to backup log document
−Written to log directory
−Notes.ini restore is available without a restore operation
•No other big enhancements in core Domino Backup
•But check GitHub Repository with Backup integration and
additional information
−https://opensource.hcltechsw.com/domino-backup/
. .
.
Domino 14 Backup
•Backup of notes.ini
−Written to backup log document
−Written to log directory
−Notes.ini restore is available without a restore operation
•No other big enhancements in core Domino Backup
•But check GitHub Repository with Backup integration and
additional information
−https://opensource.hcltechsw.com/domino-backup/
21.
. .
.
Domino 14 Backup
•New Borg Backup integration for Linux by Nash!Com
−Native C application to control the Borg Backup binary
−Each Domino backup is now a single archive, instead of an archive per file.
−“nshborg” binary is a native integration (in C/C++) option withoutscripts
−Easy to compile, install and configure (DXL import file)
•New GitHub repository
−https://github.com/nashcom/domino-borg
•Borg Backup
−Free, open source, secure, compressingand deduplicatingLinux based backup
−Supports remote repositories
−https://borgbackup.readthedocs.io
. .
.
Domino 14 Backup
•New Borg Backup integration for Linux by Nash!Com
−Native C application to control the Borg Backup binary
−Each Domino backup is now a single archive, instead of an archive per file.
−“nshborg” binary is a native integration (in C/C++) option withoutscripts
−Easy to compile, install and configure (DXL import file)
•New GitHub repository
−https://github.com/nashcom/domino-borg
•Borg Backup
−Free, open source, secure, compressingand deduplicatingLinux based backup
−Supports remote repositories
−https://borgbackup.readthedocs.io
Domino 14
One Touch Setup
One Touch Setup
23.
. .
.
Domino 14 One-Touch Setup (OTS)
•Introduced in Domino 12.0
−Enhanced in every dot release
•Setup Domino first and additional servers via Environment variablesor JSON formatted files
including database, document update, creation
•New OTS features in Domino 14.0
−Certificate Authority
−Create a full-text index
−Autoregisterservers with specific names
−Create response documents
−Create replicas on additional servers
−FindDocumentcriteria can be specified by using a Notes formula
−An additional server can be created using files in a "seed" directoryif the first server is unavailable
. .
.
Domino 14 One-Touch Setup (OTS)
•Introduced in Domino 12.0
−Enhanced in every dot release
•Setup Domino first and additional servers via Environment variablesor JSON formatted files
including database, document update, creation
•New OTS features in Domino 14.0
−Certificate Authority
−Create a full-text index
−Autoregisterservers with specific names
−Create response documents
−Create replicas on additional servers
−FindDocumentcriteria can be specified by using a Notes formula
−An additional server can be created using files in a "seed" directoryif the first server is unavailable
24.
. .
.
Domino 14 One-Touch Setup (OTS)
•HCL Documentation
−https://help.hcltechsw.com/domino/14.0.0/admin/inst_onetouch.html
. .
.
Domino 14 One-Touch Setup (OTS)
•HCL Documentation
−https://help.hcltechsw.com/domino/14.0.0/admin/inst_onetouch.html
25.
. .
.
New OTS GitHub Repository
•Examples, additional documentation and complete setup configurations
−https://github.com/HCL-TECH-SOFTWARE/domino-one-touch-setup
. .
.
New OTS GitHub Repository
•Examples, additional documentation and complete setup configurations
−https://github.com/HCL-TECH-SOFTWARE/domino-one-touch-setup
Domino Security
-Inbound disclaimers
-OIDC Enhancements
-Passkeys
-Inbound disclaimers
-OIDC Enhancements
-Passkeys
27.
. .
.
Inbound Mail Disclaimers
•Many customers asked for inbound mail disclaimers
to mark external messages for security reasons
•Domino 14 introduces subject and body mail disclaimers
−Inbound SMTP disclaimers are usually configured on external mail gateways receiving SMTP mail
−If message is encrypted or signed, notification is in subject only
−Inbound disclaimer text is specified in server configuration document
−Internal messaging gateways usually don’t need to add inbound disclaimers
(e.g. scanners, internal application servers, …)
. .
.
Inbound Mail Disclaimers
•Many customers asked for inbound mail disclaimers
to mark external messages for security reasons
•Domino 14 introduces subject and body mail disclaimers
−Inbound SMTP disclaimers are usually configured on external mail gateways receiving SMTP mail
−If message is encrypted or signed, notification is in subject only
−Inbound disclaimer text is specified in server configuration document
−Internal messaging gateways usually don’t need to add inbound disclaimers
(e.g. scanners, internal application servers, …)
28.
. .
.
Inbound Mail Disclaimer Configuration
•Configuration in Configuration document
−Router/SMTP →Restrictions and Controls →SMTP Inbound Controls →External Email Notifications
•Flexible configuration
−External only or all domains
−Where to add the text subject/body
−HTML format
−Exclusion for hostnames/IPs
−Subject modification if message is signed
to avoid breaking the signature
•Limited number of chars for subject (30)and body (4096)
. .
.
Inbound Mail Disclaimer Configuration
•Configuration in Configuration document
−Router/SMTP →Restrictions and Controls →SMTP Inbound Controls →External Email Notifications
•Flexible configuration
−External only or all domains
−Where to add the text subject/body
−HTML format
−Exclusion for hostnames/IPs
−Subject modification if message is signed
to avoid breaking the signature
•Limited number of chars for subject (30)and body (4096)
29.
. .
.
Improved OpenID / OIDC functionality
•OIDC Loginand Bearer authenticationhave been introduced late in Domino 12.0.2 EAbuilds
−Some configuration was only available via notes.ini
•With Domino 14.0 more compatibility with additional backends was added
•All relevant configuration moved to the OIDC configuration document in idpcat.nsf
•See what’s new for all security enhancements
−https://help.hcltechsw.com/domino/14.0.0/admin/wn_security14.html
−
. .
.
Improved OpenID / OIDC functionality
•OIDC Loginand Bearer authenticationhave been introduced late in Domino 12.0.2 EAbuilds
−Some configuration was only available via notes.ini
•With Domino 14.0 more compatibility with additional backends was added
•All relevant configuration moved to the OIDC configuration document in idpcat.nsf
•See what’s new for all security enhancements
−https://help.hcltechsw.com/domino/14.0.0/admin/wn_security14.html
−
30.
. .
.
Improved OIDC UI
•All relevant configuration was
added to the OIDC configuration
form in idpcat.nsf
•Example configuration for OIDC
with Google
. .
.
Improved OIDC UI
•All relevant configuration was
added to the OIDC configuration
form in idpcat.nsf
•Example configuration for OIDC
with Google
31.
. .
.
TLS Ciphers for RSA Keys changed
•Only four TLS Ciphers for RSA keysremain available as security
−All other ciphers have been categorized as weak.
−Take action: Disable all other ciphers in server doc and internet sites documents
−The two hardcoded ciphers for ECDSA keyspicked automatically remain unchanged
•Sametime:
−Sametime 12.0.2 finally supports
current ciphers by using a current
OpenSSL Version
−Good news:No Weak Cipher
configuration needed for LDAPS
connections any more!
. .
.
TLS Ciphers for RSA Keys changed
•Only four TLS Ciphers for RSA keysremain available as security
−All other ciphers have been categorized as weak.
−Take action: Disable all other ciphers in server doc and internet sites documents
−The two hardcoded ciphers for ECDSA keyspicked automatically remain unchanged
•Sametime:
−Sametime 12.0.2 finally supports
current ciphers by using a current
OpenSSL Version
−Good news:No Weak Cipher
configuration needed for LDAPS
connections any more!
32.
. .
.
Additional Security Changes
•Security policy for ID file encryption
−Set a policy to upgrade the algorithm used to encrypt the ID file to
AES-128 with SHA-256or AES-256 with SHA-512, when changing the password
•SHA256 support for Internet password in Domino directory
−With Domino 14.0, users' password hashes will now be updated to SHA256 when they change their
Internet passwords in Person Document
. .
.
Additional Security Changes
•Security policy for ID file encryption
−Set a policy to upgrade the algorithm used to encrypt the ID file to
AES-128 with SHA-256or AES-256 with SHA-512, when changing the password
•SHA256 support for Internet password in Domino directory
−With Domino 14.0, users' password hashes will now be updated to SHA256 when they change their
Internet passwords in Person Document
33.
. .
.
Passkey Authentication
•One of my favorite features in Domino 14
•A new standard for password less authentication
−Easier to handlethan certificate-based authentication,
much more securethan user/passwordauthentication
•Most browsers support passkeys
•Specially Apple devices have great Passkey support
−Passkeys are stored in Apple Keychain
•Windows Hellosupport to login on Windows 10/11
−Windows 11 has enhanced support
•Remote login via phone cameraand Bluetooth
. .
.
Passkey Authentication
•One of my favorite features in Domino 14
•A new standard for password less authentication
−Easier to handlethan certificate-based authentication,
much more securethan user/passwordauthentication
•Most browsers support passkeys
•Specially Apple devices have great Passkey support
−Passkeys are stored in Apple Keychain
•Windows Hellosupport to login on Windows 10/11
−Windows 11 has enhanced support
•Remote login via phone cameraand Bluetooth
34.
. .
.
Setup Passkey Authentication
•Configured in Server doc / Internet site
−Requires session based authentication
−Custom login form in domcfg.nsf
$$LoginUserFormPasskey
. .
.
Setup Passkey Authentication
•Configured in Server doc / Internet site
−Requires session based authentication
−Custom login form in domcfg.nsf
$$LoginUserFormPasskey
35.
. .
.
Setup passkey.nsf
•Create passkey.nsffrom template
•Passkey database contains one entry per registered
passkey and internet site
−Contains latest login date
−Details about the type of Passkey
−Public key (not listed in UI)
•Detailed documentation with information about Passkeys
−https://help.hcltechsw.com/domino/14.0.0/admin/wn_passkey
authentication.html
. .
.
Setup passkey.nsf
•Create passkey.nsffrom template
•Passkey database contains one entry per registered
passkey and internet site
−Contains latest login date
−Details about the type of Passkey
−Public key (not listed in UI)
•Detailed documentation with information about Passkeys
−https://help.hcltechsw.com/domino/14.0.0/admin/wn_passkey
authentication.html
36.
. .
.
Domino 14 Cluster safe Single Server Session Cookie
•Usually the better way is to use a LTPA SSO cookie
−If a single server cookie is needed this new feature can be helpful
•Cluster-safe, sprayable, single-server session cookies (DomAuthSessId)
−New notes.ini DominoSessionCookieUniqueNames =1
−Name of the DomAuthSessIdcookie becomes DomAuthSessIdABCDEFGHIJK
−ABCDEFGHIJK is the first 11 charactersof Base64url [SHA256 (Domino server DN)]
−This causes multiple Domino servers that are all serving the same internet site to choose unique cookie
names instead of overwriting each other's cookies
−Disabled by default due to concerns about breaking current applications and sprayer rules with special
logic for cookies named "DomAuthSessId"
. .
.
Domino 14 Cluster safe Single Server Session Cookie
•Usually the better way is to use a LTPA SSO cookie
−If a single server cookie is needed this new feature can be helpful
•Cluster-safe, sprayable, single-server session cookies (DomAuthSessId)
−New notes.ini DominoSessionCookieUniqueNames =1
−Name of the DomAuthSessIdcookie becomes DomAuthSessIdABCDEFGHIJK
−ABCDEFGHIJK is the first 11 charactersof Base64url [SHA256 (Domino server DN)]
−This causes multiple Domino servers that are all serving the same internet site to choose unique cookie
names instead of overwriting each other's cookies
−Disabled by default due to concerns about breaking current applications and sprayer rules with special
logic for cookies named "DomAuthSessId"
DAOS Enhancements
NLO Repair in a Cluster
NLO Repair in a Cluster
38.
. .
.
Domino 14 Cluster Repair
•Cluster repair has been introduced in Domino 10
−NLOshave been only part of full database repairs
−The new feature introduced in Domino 14.0 is a NLO level repair in a cluster
•NLOs can only repaired if the DAOS catalog knows the NLO is missing
−Tell daosmgrresync forcecan help to find missing NLOs
−tell daosmgrrepair B02F6276EF3F30CCD1BE58538BCED5FCB4DC09E300019481.nlo
−tell daosmgrrepair objects
−By default only 100 NLOs at a time are repaired
▫Notes.ini DAOS_REPAIR_LIMIT=n to increase the limit
•NLOs are repaired from all cluster mates( “donors” )
−The remote server decrypts a NLO if needed and the receiving server encrypts it based on local settings
. .
.
Domino 14 Cluster Repair
•Cluster repair has been introduced in Domino 10
−NLOshave been only part of full database repairs
−The new feature introduced in Domino 14.0 is a NLO level repair in a cluster
•NLOs can only repaired if the DAOS catalog knows the NLO is missing
−Tell daosmgrresync forcecan help to find missing NLOs
−tell daosmgrrepair B02F6276EF3F30CCD1BE58538BCED5FCB4DC09E300019481.nlo
−tell daosmgrrepair objects
−By default only 100 NLOs at a time are repaired
▫Notes.ini DAOS_REPAIR_LIMIT=n to increase the limit
•NLOs are repaired from all cluster mates( “donors” )
−The remote server decrypts a NLO if needed and the receiving server encrypts it based on local settings
Admin Central
User & Group management
Notes Client, Nomad Web & Mobile
User & Group management
Notes Client, Nomad Web & Mobile
40.
. .
.
Domino 14.0 Admin Central
•Simplified
−User management
−Group management
−Domain wide Notes database created on admin server (admincentral.nsf)
−Notes Client, Nomad Weband Nomad Mobileoptimized design
•Two target personas
−Senior Adminsets up configuration and profiles per certifier
−Junior Adminor business usermanages users and groups
•Request model
−User only needs access to autoupdate.nsf
−Signed request documentsprocessed by adminpprocess
−Adminpprocess tracks and updates requests
. .
.
Domino 14.0 Admin Central
•Simplified
−User management
−Group management
−Domain wide Notes database created on admin server (admincentral.nsf)
−Notes Client, Nomad Weband Nomad Mobileoptimized design
•Two target personas
−Senior Adminsets up configuration and profiles per certifier
−Junior Adminor business usermanages users and groups
•Request model
−User only needs access to autoupdate.nsf
−Signed request documentsprocessed by adminpprocess
−Adminpprocess tracks and updates requests
41.
. .
.
Domino 14.0 Admin Central Detailed Requirements
•User management requires certifiers imported into Domino CA to manage users
−Automatically created for first server setup with One Touch Setupfor new environments
−Admin Server performs Domino CAand ID Vaultoperations.
•Access rights defined in admincentral.nsfonly
−No write accessto Domino Directory nor admin4.nsf required
•Remote consolefunctionality requires console admin access in server document
•Notes Client 12.0.1 or Nomad Web 1.0.9 or higher required
−Uses Notes named documents added in 12.0.1
. .
.
Domino 14.0 Admin Central Detailed Requirements
•User management requires certifiers imported into Domino CA to manage users
−Automatically created for first server setup with One Touch Setupfor new environments
−Admin Server performs Domino CAand ID Vaultoperations.
•Access rights defined in admincentral.nsfonly
−No write accessto Domino Directory nor admin4.nsf required
•Remote consolefunctionality requires console admin access in server document
•Notes Client 12.0.1 or Nomad Web 1.0.9 or higher required
−Uses Notes named documents added in 12.0.1
42.
. .
.
Admin Central Dashboard & Navigation
. .
.
Admin Central Dashboard & Navigation
43.
. .
.
Admin Central Action Dialog
. .
.
Admin Central Action Dialog
44.
. .
.
Admin Central Create User
. .
.
Admin Central Create User
45.
.
.
Domino Auto Update
-Notify
-Download
-Distribute
-Install (Preview)
-Notify
-Download
-Distribute
-Install (Preview)
47.
. .
.
Domino 14.0 “Auto Update”
•Notificationfor new software
•Listcurrent software packages
•Downloadsoftware packages to autoupdate.nsf
•DistributeServer software to specified servers (Release/FP/IF in first step)
•First deliverable which planned to be extended in the next feature release
−Provides the basefor providing the next levels of functionality
•Integrated with My HCLSoftwarePortal (MHS)
−Leverages MHS download API implemented for Domino Auto Update
. .
.
Domino 14.0 “Auto Update”
•Notificationfor new software
•Listcurrent software packages
•Downloadsoftware packages to autoupdate.nsf
•DistributeServer software to specified servers (Release/FP/IF in first step)
•First deliverable which planned to be extended in the next feature release
−Provides the basefor providing the next levels of functionality
•Integrated with My HCLSoftwarePortal (MHS)
−Leverages MHS download API implemented for Domino Auto Update
48.
. .
.
My HCLSoftwareDownload Portal (MHS)
•New portal which has been under early access
in parallel to Domino 14.0.
−Not a coincident because Domino 14.0 Auto Update
leverages downloads directory from MHS.
•MHSreplaces Flexnet(FNO) downloads step by step
•Provides a modernand easy to use, fastersoftware
search and download experience
•Your existing HCL ID continues to work on new portal
•https://my.hcltechsw.com/
. .
.
My HCLSoftwareDownload Portal (MHS)
•New portal which has been under early access
in parallel to Domino 14.0.
−Not a coincident because Domino 14.0 Auto Update
leverages downloads directory from MHS.
•MHSreplaces Flexnet(FNO) downloads step by step
•Provides a modernand easy to use, fastersoftware
search and download experience
•Your existing HCL ID continues to work on new portal
•https://my.hcltechsw.com/
49.
. .
.
My HCLSoftwareDownload Portal (MHS)
. .
.
My HCLSoftwareDownload Portal (MHS)
50.
. .
.
My HCLSoftwareDownload Portal (MHS)
. .
.
My HCLSoftwareDownload Portal (MHS)
51.
. .
.
Auto Update Setup & Auto Notify
•Domain wide feature configured in Domino Directory
•One designated download serverload software & schedules distributions
−Proxy support including authentication to bridge networks (DMZ)
•Product Infodocuments are stored in Domino Directory
−Downloaded from Fixlistservers and validated
. .
.
Auto Update Setup & Auto Notify
•Domain wide feature configured in Domino Directory
•One designated download serverload software & schedules distributions
−Proxy support including authentication to bridge networks (DMZ)
•Product Infodocuments are stored in Domino Directory
−Downloaded from Fixlistservers and validated
52.
. .
.
product.jwt
•Located on HCL Fixlistservers
−Configured in Domino Directory profile
•Contains information about products
−Downloaded by autoupdateinto names.nsf
−Converted into Notes items (JSON itemizer)
−Also contains Logo Data
•JSON data provided as JWT
−Signed by build room with an Ed25519 key
−Public keys are backed into Domino to validate JWTs
. .
.
product.jwt
•Located on HCL Fixlistservers
−Configured in Domino Directory profile
•Contains information about products
−Downloaded by autoupdateinto names.nsf
−Converted into Notes items (JSON itemizer)
−Also contains Logo Data
•JSON data provided as JWT
−Signed by build room with an Ed25519 key
−Public keys are backed into Domino to validate JWTs
53.
. .
.
Auto Update Download Server & Target Servers
•Restartautoupdate
servertaskon designated
download server
•Autoupdatetask runs on
allservers in the domain
−Download server
schedules downloads and
distributions
−Target serversperform
pending requests &
update their own server
status documents in
autoupdate.nsf
. .
.
Auto Update Download Server & Target Servers
•Restartautoupdate
servertaskon designated
download server
•Autoupdatetask runs on
allservers in the domain
−Download server
schedules downloads and
distributions
−Target serversperform
pending requests &
update their own server
status documents in
autoupdate.nsf
54.
. .
.
Auto Update Server Documents
•Autoupdate“Server documents”
−Each server maintains it’s own “server document”
in autoupdate.nsf
−Contains version information, platform and other
detailed information
−Used to schedule updates
▫Target versionand schedule
−Status of server
•Central replicaapproach to avoid save/replica
conflicts and to ensure immediate status updates
•Content delivery replicas can be created in
remote locations
−Status updates are still performed on central server
. .
.
Auto Update Server Documents
•Autoupdate“Server documents”
−Each server maintains it’s own “server document”
in autoupdate.nsf
−Contains version information, platform and other
detailed information
−Used to schedule updates
▫Target versionand schedule
−Status of server
•Central replicaapproach to avoid save/replica
conflicts and to ensure immediate status updates
•Content delivery replicas can be created in
remote locations
−Status updates are still performed on central server
55.
. .
.
software.jwt
•Located on HCL Fixlistservers
•Contains information about software web-kits
−Downloaded by autoupdateinto autopdate.nsf
−Converted into Notes items
−JSON data provided as JWT
•Also contains configuration
−My HCLSoftwareAPIentry points
. .
.
software.jwt
•Located on HCL Fixlistservers
•Contains information about software web-kits
−Downloaded by autoupdateinto autopdate.nsf
−Converted into Notes items
−JSON data provided as JWT
•Also contains configuration
−My HCLSoftwareAPIentry points
56.
. .
.
Auto Update Software Documents
•Software documents
−Created from software.jwt
−Platform, Product, Type, Language, Version
−FileName, SHA 256 Hash, Size in Bytes
−FileID–Internal MHS identifier used for download
−File attachment
▫DAOSis enabled by default for autoupdate.nsf
▫Files are loaded from MHS via HTTPS(LibCurl)
▫Target server download file attachments via NRPC
. .
.
Auto Update Software Documents
•Software documents
−Created from software.jwt
−Platform, Product, Type, Language, Version
−FileName, SHA 256 Hash, Size in Bytes
−FileID–Internal MHS identifier used for download
−File attachment
▫DAOSis enabled by default for autoupdate.nsf
▫Files are loaded from MHS via HTTPS(LibCurl)
▫Target server download file attachments via NRPC
57.
. .
.
Auto Update Configuration
•Global Configuration
−Software selection filter
−Log Level
−Download settings
−Proxy settings
•Action to set the “Download Token”
•Proxy password and Download Token
requires a Notes 12.0.1 client or higher
−“Notes named document” functionality
is introduced in Notes 12.0.1
. .
.
Auto Update Configuration
•Global Configuration
−Software selection filter
−Log Level
−Download settings
−Proxy settings
•Action to set the “Download Token”
•Proxy password and Download Token
requires a Notes 12.0.1 client or higher
−“Notes named document” functionality
is introduced in Notes 12.0.1
58.
. .
.
Auto Update API Keys
•Log into the MHS Portal
•Acquire an API Key from MHS
−Specify an unique name for the token
−Copy the token
•Use action to set the “Download Token”
−Paste the token
•Once configured autoupdate.nsf
is ready for download
. .
.
Auto Update API Keys
•Log into the MHS Portal
•Acquire an API Key from MHS
−Specify an unique name for the token
−Copy the token
•Use action to set the “Download Token”
−Paste the token
•Once configured autoupdate.nsf
is ready for download
59.
. .
.
Auto Update Distribute
•Scheduling a deploymentwill automatically
download software if not yet downloaded
•Autoupdateknows about release / FP / IF / HF
dependencies
−Scheduling an update for an IF would even know
which HF to download for each platform
−The server document shows HF and IF version
. .
.
Auto Update Distribute
•Scheduling a deploymentwill automatically
download software if not yet downloaded
•Autoupdateknows about release / FP / IF / HF
dependencies
−Scheduling an update for an IF would even know
which HF to download for each platform
−The server document shows HF and IF version
60.
. .
.
Auto Update Schedule
•Low Priority
−Check for information updates accessing external HCL server (product.jwt, software.jwt)
−Default: 60 minutes
−Notes.ini AUTOUPD_LOW_PRIO_DL_INTERVAL_MINS =n
•High Priority
−All other operations including download (because they are admin initiated)
−Default: 5 minutes
−Notes.ini AUTOUPD_HIGH_PRIO_DL_INTERVAL_MINS =n
•Command Line manual override
−Tell autoupdateprocess all
−Tell autoupdateprocess low
−Tell autoupdateprocess high
. .
.
Auto Update Schedule
•Low Priority
−Check for information updates accessing external HCL server (product.jwt, software.jwt)
−Default: 60 minutes
−Notes.ini AUTOUPD_LOW_PRIO_DL_INTERVAL_MINS =n
•High Priority
−All other operations including download (because they are admin initiated)
−Default: 5 minutes
−Notes.ini AUTOUPD_HIGH_PRIO_DL_INTERVAL_MINS =n
•Command Line manual override
−Tell autoupdateprocess all
−Tell autoupdateprocess low
−Tell autoupdateprocess high
61.
. .
.
Auto Update Deployment Groups
•Deployment documents
−Canbe used to schedule deployments
on multiple servers at once
−Servers assigned to a deployment
group by adding deployment group
name to the server document
▫Ensures each server is exactly
assigned to one deployment group
•Deployments can be scheduled for
-One server
-Selected servers
-Adeployment group
. .
.
Auto Update Deployment Groups
•Deployment documents
−Canbe used to schedule deployments
on multiple servers at once
−Servers assigned to a deployment
group by adding deployment group
name to the server document
▫Ensures each server is exactly
assigned to one deployment group
•Deployments can be scheduled for
-One server
-Selected servers
-Adeployment group
62.
. .
.
Auto Update Deployment Order
•Flexible concept to control how to deploy a
new version
•When server installs are executed
respecting the deployment order
•A deployment order number can have
oneor multipleservers
•All deployments wait until the lower
deployment order is successfullycompleted
•Servers in the same deployment order are
installed in parallel( in future )
•If any server in the previous deployment
order failed, the whole deployment stops!
. .
.
Auto Update Deployment Order
•Flexible concept to control how to deploy a
new version
•When server installs are executed
respecting the deployment order
•A deployment order number can have
oneor multipleservers
•All deployments wait until the lower
deployment order is successfullycompleted
•Servers in the same deployment order are
installed in parallel( in future )
•If any server in the previous deployment
order failed, the whole deployment stops!
Domino Auto Update
Fit & Finish in Domino 14.0 FP1
Fit & Finish in Domino 14.0 FP1
64.
. .
.
Client categories
•Domino 14.0 only supported a single client type “client”
−This was problematic for calculating the latest version based on the combination of
Product, Platform, Language, Type
•Domino 14.0 FP1 distinctsthree different client types
−Standard Client
−Admin/Design(aka All Client)
−Basic Client(available until 12.0.2)
. .
.
Client categories
•Domino 14.0 only supported a single client type “client”
−This was problematic for calculating the latest version based on the combination of
Product, Platform, Language, Type
•Domino 14.0 FP1 distinctsthree different client types
−Standard Client
−Admin/Design(aka All Client)
−Basic Client(available until 12.0.2)
65.
. .
.
Dynamic Categories
•In Domino 14.0 autoupdate.ntfcontained static categories
−Intended to filter the catalog data for your needs (Platforms, languages, …)
•Starting with Domino 14.0 FP1 the categories are
dynamic and send along with software.jwt
•Allows addition of new keywords in future
•Allows to only show Software Selection Filter
settings based on actual content provided
•Documents contain keyword and display fields
leveraged in all views and forms
•New software.jwtformat is design to work with
Domino 14.0 and 14.0 FP1
. .
.
Dynamic Categories
•In Domino 14.0 autoupdate.ntfcontained static categories
−Intended to filter the catalog data for your needs (Platforms, languages, …)
•Starting with Domino 14.0 FP1 the categories are
dynamic and send along with software.jwt
•Allows addition of new keywords in future
•Allows to only show Software Selection Filter
settings based on actual content provided
•Documents contain keyword and display fields
leveraged in all views and forms
•New software.jwtformat is design to work with
Domino 14.0 and 14.0 FP1
Domino Auto Update
-AUT Catalog integration
-AUT Catalog integration
67.
. .
.
Auto Update Distribute to Notes AUT Catalog
•Domino 14.0 FP1introduces integration between autoupdate.nsfand autcat.nsf
•Once enabled Notes Client WebKitsare automatically pushed to autcat.nsf
. .
.
Auto Update Distribute to Notes AUT Catalog
•Domino 14.0 FP1introduces integration between autoupdate.nsfand autcat.nsf
•Once enabled Notes Client WebKitsare automatically pushed to autcat.nsf
68.
. .
.
Auto Update Distribute to Notes AUT Catalog
•Software pushed to autocat.nsfare shown in a new view
−Button to open AUT Catalog
. .
.
Auto Update Distribute to Notes AUT Catalog
•Software pushed to autocat.nsfare shown in a new view
−Button to open AUT Catalog
69.
. .
.
Notes AUT Catalog
•Some Notes Client WebKitsare pushed as multiple AUT Catalog documents
−Standard Client Fixpackis used for Admin/Design (All Client) and Standard Client
−64bit and 32bit to 64bit installers are two separate WebKits
•Auto Update takes care of pushing the Software accordingly
. .
.
Notes AUT Catalog
•Some Notes Client WebKitsare pushed as multiple AUT Catalog documents
−Standard Client Fixpackis used for Admin/Design (All Client) and Standard Client
−64bit and 32bit to 64bit installers are two separate WebKits
•Auto Update takes care of pushing the Software accordingly
70.
. .
.
Notes AUT Catalog
•International Notes Client
kits are not displayed
correctly
•Language is missing
−Not a new issue
•Work around for 14.0 FP1
−Additional information
is added for now
. .
.
Notes AUT Catalog
•International Notes Client
kits are not displayed
correctly
•Language is missing
−Not a new issue
•Work around for 14.0 FP1
−Additional information
is added for now
Leveraging AutoUpdate
-Download from autoupdate.nsf
-Domino Download Script
-Download from autoupdate.nsf
-Domino Download Script
72.
. .
.
Downloading from autoupdate.nsf
•autoupdate.nsf
−Easy to download and replicate around
−Content delivery replicas can be created
−Attachments are stored uncompressed
to allow faster download
−Domino 14.0 contains a performance
fix to download from NSF via HTTPS
•A simple helper agent can let you find
the right software and download it
−Check my blog for details
−Works with “Domino Download Script”
https://blog.nashcom.de/nashcomblog.nsf/dx/leveraging-domino-autoupdate-for-company-internal-for-downloads.htm
. .
.
Downloading from autoupdate.nsf
•autoupdate.nsf
−Easy to download and replicate around
−Content delivery replicas can be created
−Attachments are stored uncompressed
to allow faster download
−Domino 14.0 contains a performance
fix to download from NSF via HTTPS
•A simple helper agent can let you find
the right software and download it
−Check my blog for details
−Works with “Domino Download Script”
https://blog.nashcom.de/nashcomblog.nsf/dx/leveraging-domino-autoupdate-for-company-internal-for-downloads.htm
73.
. .
.
Domino Download Script
•Now that there is an API … I wrote a bash script to download software on command line …
−Integrated into the Domino Container project for automatic downloads
. .
.
Domino Download Script
•Now that there is an API … I wrote a bash script to download software on command line …
−Integrated into the Domino Container project for automatic downloads
74.
. .
.
Domino Download Script
•Bash script supported on Linux, MacOS and GitBash on Windows
−Comes with an install option
•Requires a My HCLSoftware download token
or could be used with Domino autoupdate.nsf …
•Allows download on any machine from easy to use menu
•Designed to work with HCL Domino Container build script
−Software is automatically downloaded (and locally cached)
•Supports custom download servers with user/password
•Can generate curl download commands
•Caches JSON data and authentication tokens
. .
.
Domino Download Script
•Bash script supported on Linux, MacOS and GitBash on Windows
−Comes with an install option
•Requires a My HCLSoftware download token
or could be used with Domino autoupdate.nsf …
•Allows download on any machine from easy to use menu
•Designed to work with HCL Domino Container build script
−Software is automatically downloaded (and locally cached)
•Supports custom download servers with user/password
•Can generate curl download commands
•Caches JSON data and authentication tokens
Domino Container
Image Update
Image Update
76.
. .
.
Reasons to use Container Technology
•Automation testing
•Continuous development & deployment
−e.g consistent deployment of applications in test, QE and production environments
•Cost reduction by standardization & automation
•Cost reduction by lowering the overhead to deploy and run a Container vs. VM
−Application runs an easy to deploy container instead of a separate virtual machine
•Automated updates with less down time
(for individual servers)
•Containers can improve security
−If built and deployed in the right way!
virtual / physical machinevirtual / physical machine
Linux kernel + binariesLinux kernel + binaries
Docker DockerBins
App
Bins
App
Bins
App
Bins
App
Container
. .
.
Reasons to use Container Technology
•Automation testing
•Continuous development & deployment
−e.g consistent deployment of applications in test, QE and production environments
•Cost reduction by standardization & automation
•Cost reduction by lowering the overhead to deploy and run a Container vs. VM
−Application runs an easy to deploy container instead of a separate virtual machine
•Automated updates with less down time
(for individual servers)
•Containers can improve security
−If built and deployed in the right way!
virtual / physical machinevirtual / physical machine
Linux kernel + binariesLinux kernel + binaries
Docker DockerBins
App
Bins
App
Bins
App
Bins
App
Container
77.
. .
.
Domino Container Community Image
•Domino Docker “image” available since Domino 9.0.1
−Originally initiated at IBM as a GitHub Open Source project by Thomas Hampel
−Moved to HCL https://github.com/HCL-TECH-SOFTWARE/domino-container
•Not a ready to use image to download
−But you get a nice box of “LEGO® bricks” with a lot of flexibility
−Easy to use build script leveraging HCL Domino Linux server web-kits
•Additional functionality & flexibility
−Add-on installers for Nomad Server, Verse, C-API build environment, ...
•Supported by community project on
. .
.
Domino Container Community Image
•Domino Docker “image” available since Domino 9.0.1
−Originally initiated at IBM as a GitHub Open Source project by Thomas Hampel
−Moved to HCL https://github.com/HCL-TECH-SOFTWARE/domino-container
•Not a ready to use image to download
−But you get a nice box of “LEGO® bricks” with a lot of flexibility
−Easy to use build script leveraging HCL Domino Linux server web-kits
•Additional functionality & flexibility
−Add-on installers for Nomad Server, Verse, C-API build environment, ...
•Supported by community project on
78.
. .
.
Domino Container Community Project
•New Features
−Add-on Domino image installs for all companion products
−New build label to add-ons including version
−Automation testing detecting all add-ons
−MHS download automation via Domino Download script
−New build menu
•Works hand in hand with dominoctl
−A container start script to run and update containers
−https://nashcom.github.io/domino-startscript/dominoctl/
. .
.
Domino Container Community Project
•New Features
−Add-on Domino image installs for all companion products
−New build label to add-ons including version
−Automation testing detecting all add-ons
−MHS download automation via Domino Download script
−New build menu
•Works hand in hand with dominoctl
−A container start script to run and update containers
−https://nashcom.github.io/domino-startscript/dominoctl/
79.
. .
.
Q & A + Feedback
•Open questions?
•Additional information
−https://blog.nashcom.de
−[email protected]
. .
.
Q & A + Feedback
•Open questions?
•Additional information
−https://blog.nashcom.de
−[email protected]
Additional Resource
81.
. .
.
Domino Community Project & Documentation
•Project & Documentation
•Useful additional documentation
−Architecture
−How-To information
−References
−Examples
https://github.com/HCL-TECH-SOFTWARE/domino-container
https://opensource.hcltechsw.com/domino-container/
. .
.
Domino Community Project & Documentation
•Project & Documentation
•Useful additional documentation
−Architecture
−How-To information
−References
−Examples
https://github.com/HCL-TECH-SOFTWARE/domino-container
https://opensource.hcltechsw.com/domino-container/
82.
. .
.
dominoctl – Domino Container Control Script
•Optional admin script designed to run the Domino Community + new HCL image
−Simplifies Domino container administration
−Supports docker & podman (+ nerdctl on Rancher Desktop)
•Run “dominoctl” from a prompt
−dominoctl provides command-line help
−Provides start/stop, update, config & troubleshooting commands
•Installation
−Clone or download the GitHub project https://github.com/nashcom/domino-startscript
▫Example: git clone https://github.com/nashcom/domino -startscript.git
−Run install script
▫./domino-startscript/install_dominoctl
. .
.
dominoctl – Domino Container Control Script
•Optional admin script designed to run the Domino Community + new HCL image
−Simplifies Domino container administration
−Supports docker & podman (+ nerdctl on Rancher Desktop)
•Run “dominoctl” from a prompt
−dominoctl provides command-line help
−Provides start/stop, update, config & troubleshooting commands
•Installation
−Clone or download the GitHub project https://github.com/nashcom/domino-startscript
▫Example: git clone https://github.com/nashcom/domino -startscript.git
−Run install script
▫./domino-startscript/install_dominoctl
83.
. .
.
Domino Start Script Project & Documentation
•Project & Documentation
•Full start script documentation
−Including all commands
•OneTouch Setup information
•Domino Container Control (dominoctl)
https://github.com/nashcom/domino-startscript
https://nashcom.github.io/domino-startscript/
. .
.
Domino Start Script Project & Documentation
•Project & Documentation
•Full start script documentation
−Including all commands
•OneTouch Setup information
•Domino Container Control (dominoctl)
https://github.com/nashcom/domino-startscript
https://nashcom.github.io/domino-startscript/
84.
. .
.
Recommended Infrastructure
•Desktop
−Docker Desktop on Windows, Mac, Linux
−Rancher Desktop on Windows & Mac
−WSL, Windows Sandbox, ..
•Server
−Docker, Podman on Linux
•Linux
−RedHat/CentOS, Alma, Rocky, Oracle, AWS (yum)
−SUSE Enterprise, Leap (zypper)
−Ubuntu, Debian (apt)
•Virtualization / Hypervisors
−VMware ESXi 8.x
−Proxmox 7.x
. .
.
Recommended Infrastructure
•Desktop
−Docker Desktop on Windows, Mac, Linux
−Rancher Desktop on Windows & Mac
−WSL, Windows Sandbox, ..
•Server
−Docker, Podman on Linux
•Linux
−RedHat/CentOS, Alma, Rocky, Oracle, AWS (yum)
−SUSE Enterprise, Leap (zypper)
−Ubuntu, Debian (apt)
•Virtualization / Hypervisors
−VMware ESXi 8.x
−Proxmox 7.x
85.
. .
.
Domino Container Images
•HCL Image
−Download HCL Domino Container from MHS or pull from HCL registry
−Documentation is updated, including examples
▫https://help.hcltechsw.com/domino/14.0.0/admin/inst_dock_domino_overview.html
•HCL Community image
−Built by customers & partners
▫Download Linux WebKit installer and just run “./build.sh domino”
▫Support for the build process and the additional image functionality is GitHub community based
•Support for standard Domino & start script functionality in both containers by HCL
−Additional functionality is supported by the community project via GitHub
−Kernel of host + glibc & libstdc++ version of the container must match system requirements!
. .
.
Domino Container Images
•HCL Image
−Download HCL Domino Container from MHS or pull from HCL registry
−Documentation is updated, including examples
▫https://help.hcltechsw.com/domino/14.0.0/admin/inst_dock_domino_overview.html
•HCL Community image
−Built by customers & partners
▫Download Linux WebKit installer and just run “./build.sh domino”
▫Support for the build process and the additional image functionality is GitHub community based
•Support for standard Domino & start script functionality in both containers by HCL
−Additional functionality is supported by the community project via GitHub
−Kernel of host + glibc & libstdc++ version of the container must match system requirements!
86.
. .
.
Containers in Automation Testing
•Continuous development requires continuous automation testing
•HCL Domino development team uses automation testing for every git submit
−All automation tests have to pass as one requirement before code can be committed!
•More complex integration tests are running every daily build
•New technology requires test suites integrating with other systems (OIDC, Let’s Encrypt, ..)
−Leveraging containers new automation tests
−HCL Domino 12.0.2+ container image is used for all container based automation testing
. .
.
Containers in Automation Testing
•Continuous development requires continuous automation testing
•HCL Domino development team uses automation testing for every git submit
−All automation tests have to pass as one requirement before code can be committed!
•More complex integration tests are running every daily build
•New technology requires test suites integrating with other systems (OIDC, Let’s Encrypt, ..)
−Leveraging containers new automation tests
−HCL Domino 12.0.2+ container image is used for all container based automation testing
87.
. .
.
Domino Container Image Test Automation
•The Domino container image project provides an automation testing suite
•Part of the Open Source GitHub project
−Extendable by customers and partners
−The same test you find in GitHub repository is running in a Jenkins pipeline every night on the daily build
−Leverages OneTouch setup, results are written in a standardized JSON format
. .
.
Domino Container Image Test Automation
•The Domino container image project provides an automation testing suite
•Part of the Open Source GitHub project
−Extendable by customers and partners
−The same test you find in GitHub repository is running in a Jenkins pipeline every night on the daily build
−Leverages OneTouch setup, results are written in a standardized JSON format
88.
. .
.
Domino One-Touch (OTS)
•Two different configuration options
•Simple ENVIRONMENT variable setup
−Very simple to use
•JSON based setup
−More complex, but very powerful and flexible
−Including Application configuration (update documents, create databases, documents, etc.)
−Schema validation for JSON format
•OTS automation is fully integrated into HCL Community Domino and HCL Domino image
−Provides automated ways to download JSON file
−Replaces {{ ENVIRONMENT_.. }} placeholders
. .
.
Domino One-Touch (OTS)
•Two different configuration options
•Simple ENVIRONMENT variable setup
−Very simple to use
•JSON based setup
−More complex, but very powerful and flexible
−Including Application configuration (update documents, create databases, documents, etc.)
−Schema validation for JSON format
•OTS automation is fully integrated into HCL Community Domino and HCL Domino image
−Provides automated ways to download JSON file
−Replaces {{ ENVIRONMENT_.. }} placeholders
89.
. .
.
Domino “One Touch Setup”
•Domino 12 introduced “One Touch Setup”
−Provides automated setup + server configuration
−Cross platform, integrated into core -- Not only available for containers!
▫Very useful in the container world
•Two modes
−a.) Environment variables – Designed to be used with containers
▫Basic functionality
−b.) JSON File → Allows to configure many additional settings!
▫Create databases, documents, configure ID-Vault, TLS Credentials ..
. .
.
Domino “One Touch Setup”
•Domino 12 introduced “One Touch Setup”
−Provides automated setup + server configuration
−Cross platform, integrated into core -- Not only available for containers!
▫Very useful in the container world
•Two modes
−a.) Environment variables – Designed to be used with containers
▫Basic functionality
−b.) JSON File → Allows to configure many additional settings!
▫Create databases, documents, configure ID-Vault, TLS Credentials ..
90.
. .
.
Domino “One Touch Setup”
•For basic configuration use environment variables
−More advanced functionality is available passing a JSON file (e.g. via volume mount)
−Environment on Docker host referenced in docker run statement via --env-file env_domino
•env_domino
SetupAutoConfigure=1
SERVERSETUP_SERVER_TYPE=first
SERVERSETUP_ADMIN_FIRSTNAME=John
SERVERSETUP_ADMIN_LASTNAME=Doe
SERVERSETUP_ADMIN_PASSWORD=domino4ever
SERVERSETUP_ADMIN_IDFILEPATH=admin.id
SERVERSETUP_ORG_CERTIFIERPASSWORD=domino4ever
SERVERSETUP_SERVER_DOMAINNAME= DominoDemo
SERVERSETUP_ORG_ORGNAME=Domino -Demo
SERVERSETUP_SERVER_NAME=domino -demo-v12
SERVERSETUP_NETWORK_HOSTNAME=domino.acme.com
. .
.
Domino “One Touch Setup”
•For basic configuration use environment variables
−More advanced functionality is available passing a JSON file (e.g. via volume mount)
−Environment on Docker host referenced in docker run statement via --env-file env_domino
•env_domino
SetupAutoConfigure=1
SERVERSETUP_SERVER_TYPE=first
SERVERSETUP_ADMIN_FIRSTNAME=John
SERVERSETUP_ADMIN_LASTNAME=Doe
SERVERSETUP_ADMIN_PASSWORD=domino4ever
SERVERSETUP_ADMIN_IDFILEPATH=admin.id
SERVERSETUP_ORG_CERTIFIERPASSWORD=domino4ever
SERVERSETUP_SERVER_DOMAINNAME= DominoDemo
SERVERSETUP_ORG_ORGNAME=Domino -Demo
SERVERSETUP_SERVER_NAME=domino -demo-v12
SERVERSETUP_NETWORK_HOSTNAME=domino.acme.com
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 69
- Slides 90
- Age 518 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views