Notes / Domino
Configure an addtional Notes port on a server 
By Daniel Nashed | 5/15/25, 6:48 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The previous blog post was more dealing with the background about having a second Notes TCP/IP port.
This post focuses to setup a new Notes port end to end using the DNUG Lab environment as an example.
The server I am configuring has two separate IP addresses on two different network cards.
But the same procedure would also work with IP addresses in the same network.
Benefits of running domino with multiple TCP/IP ports
By Daniel Nashed | 5/15/25, 6:47 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Support for multiple TCP/IP ports has been part of HCL Domino since the early days. Back then, it was first essential to support multiple simultaneous modem connections. It also proved valuable for clustered servers using dedicated network cards.
While today’s networks offer 1 Gbit/s or even 10 Gbit/s speeds—making multiple ports less necessary from a raw bandwidth perspective—there are still compelling reasons to use multiple Notes ports in modern environments.
Quick Tip: Domino container in your timezone
By Oliver Busse | 4/17/25, 5:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Since I always forget about the timezone settings when spinning up Domino in a container, I just wanted to document it here for my own records. The key here is to provide an environment setting directly when issuing the run command. For me this would be the Central European timezone like so:
docker run -d --name domdev -v /local/notesdata:/local/notesdata --hostname domdev.local --cap-add=SYS_PTRACE -e TZ=Europe/Berlin -p 1352:1352 -p 80:80 -p 443:443 domino-container:12.0.2FP6
Adding trusted roots to Domino containers
By Daniel Nashed | 4/7/25, 4:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Linux and Domino comes with a good set of public trusted certs.
But in corporate environment you often have to add your own trusted root for a corporate CA.
This starts with Linux which needs certificates to validate repository servers and other resources.
Domino trusted roots
But also within Domino there are are trust stores which need might need central management.
Domino Directory Trusted roots, certstore.nsf Trusted roots can be easily centrally updated.
But the following two trust stores are more difficult to manage:
/local/notesdata/cacert.pem used for HTTP Requests in Lotus Script and other backend code using curl
Domino JVM trust store used by Java
What you should know about Domino "res" files on Linux and AIX
By Daniel Nashed | 4/3/25, 4:56 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
res files actually come from Windows and are used to translate strings for UI and errors.
Those res files are usually linked to the Windows binary.
Linux and AIX also use "res" files in a res/ directory below the binary directory.
The files are essential for a server. All the core code string resources are in strings.res.
Most Domino native servertasks also use string resources.
Wolfi OS - Secure base layer for containers
By Daniel Nashed | 4/3/25, 4:54 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This project is pretty cool. It's a container only OS using the kernel from the host.
But it has a couple of really interesting design goals.
https://github.com/wolfi-dev/
They build container base images with the minimum number of packages and "CVE free" as much as possible.
So their own containers for NGINX for example really only have NGINX and nothing around it -- not even a shell unless you install a :latest-dev container.
How to update Domino when running in a container?
By Daniel Nashed | 4/3/25, 4:52 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I just updated my production environment to Domino 14.0 FP4.
Let me show you how it works if you have everything setup.
Reducing the noise in the log
By Patrick Kwinten | 2/20/25, 3:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Every Domino environment has got logs and probably it's not you who goes through the logs since it's a repetitive mind-numbing task. Here too, but sometimes the colleague who performs the task takes some days off and then it might be you who is responsible for doing it. So last week I was “screwed” and was searching for a quick solution to minimalize the mind-numbing without risking to overlook an important log-entry. Here is what I came up with:
How to add a trusted root to Linux
By Daniel Nashed | 2/3/25, 2:57 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I am still adding custom trusted root support to the Domino container project.
You will be able to just specify a trusted root to add to the local Linux trust store.
Like other low level functionality this works differently on different Linux flavors.
Here is what I am adding for SUSE, for Debian/Ubuntu and basically all the other Redhat/RPM based systems (I rested Rocky, Alma & Co so far).
Data Access With XPages JEE
By Jesse Gallagher | 1/17/25, 6:25 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Though one day I'd really like to sit down and work on expanding and categorizing the documentation for the XPages JEE project, in the mean time I can at least put together some scattered info in the form of blog posts, webinars, and example apps. Add this post to the pile! Some of it will be a rehash of previous posts, but it doesn't hurt to see it rephrased.
DBMT tool enhancements in Domino 14.5 EA2
By Daniel Nashed | 1/7/25, 2:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Sometimes small changes open many new possibilities.
The following DBMT tool command line options are added to DBMT in Domino 14.5 EA2:
-systemDbs (-sd for short)
Allows compact to process system dbs, which are usually ignored), as well as databases listed in the dbmt_compact_filter.ind file.
-regex (-re for short)
Now a database name can be specified using regular expressions. If an .ind file is specified, the database names listed in the .ind file can be regular expressions.
-validateDbs (-vd for short)
Does not execute the updall or compacts, but outputs the list of databases that could be affected by the DBMT command (mainly to validate -regex inputs). Can be used in combination with -sd
Notes Timedate explained
By Daniel Nashed | 1/7/25, 2:38 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
There have been a couple of partner blog posts speculating about the background of the recent Domino 13.12.2024 problem, which might be a bit misleading.
For the background of what happened in detail and how HCL addressed the problem please wait for the official technote update.
But what I can tell is that HCL fixed it on a lower level function addressing all functionality in Domino and business partner applications using the effected functionality.
This means the only safe way is to apply the Interim fix provided by HCL for all supported releases including the extended support versions!
What I also can state is that all Notes TIMEDATE functionality is working as intended and are designed to handle date times from 1.1.1 to the end of all times.
Domino Router bug - seems to also affect server availability index
By Darren Duke | 1/7/25, 2:36 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I was waiting for the other shoe to drop for this bug. Surely the errant code wasn't only in the router task. Well, it seems that it's NOT only the router.
After working with a customer on fail-over issues in a cluster we came across this interesting availability index "issue". On a server patched for the router bug (or that is un-patched server that has not been rebooted) the "show ai" command behaves as expected, the XF, Hits and AI min and max are populated
However, on a rebooted, un-patched server AI is completely and utterly blank
A little Domino container story
By Martijn de Jong | 1/3/25, 7:05 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
If you’re active in the Domino world, it’s unlikely that you missed that we had a little problem 2½ weeks ago....
This blog post is not about this problem itself, but this problem caused many servers with outdated Domino versions to urgently need an update, and this is a little story about one of those servers.
New project Domino Download Server
By Daniel Nashed | 12/30/24, 7:11 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Over the x-mas I had a bit of time to work on an idea I had already a while ago.
Some customers can't directly connect to the internet. Not even with a proxy.
Domino AutoUpdate and also the Domino Download script both support proxy environments including authenticated proxies.
The Domino Download script leverages the curl command-line which is very flexible.
But also Domino AutoUpdate has full proxy support.
Still some environments can' download anything from the internet. Some are even air gapped.
The idea was to come up with a NGINX based service which could be the source for all your Notes/Domino downloads.
I wanted it to work in different environments.
Thomas Hampel
By Thomas Hampel | 12/13/24, 5:35 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
*** ALERT ***
Development team just identified a new issue which will affect ALL Domino server versions as of TODAY ( 13th of December 2024 )
Starting as of today, if you restart your Domino server, a router error will result in delivery failures due to a routing loop.
Mail rules will also start failing. It is a date/time issue in our code.
We will of course provide a fix as soon as possible for all Domino versions that are in support.
Furthermore for older versions in extended support, customers with an extended support agreement will be provided with a fix as well.
HCL Domino Leap – Fixing Embedded Forms Issues After Updating to 1.1.5
By Milan Matejic | 11/26/24, 5:02 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
If you are embedding HCL Domino Leap Applications or Forms into portals and sites not hosted on the same Domino Server as Domino Leap, you might encounter issues due to the Content-Security-Policy (CSP) HTTP Response Header. Starting with HCL Domino Leap 1.1.5, a Strict CSP policy has been introduced.
Modern email protocols: DANE, MTA-STS and TLS-RPT
By Martijn de Jong | 11/8/24, 3:47 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
n my recent OpenNTF webinar on modern E-mail Server operations, I covered several SMTP-related protocols like DKIM, SPF, and DMARC. However, with ongoing efforts to enhance the security of SMTP, new protocols have emerged, and these are the focus of this article.
Two weeks after my OpenNTF presentation, my former colleague Erwin Stamer, contacted me regarding the DANE status of my domain as it was yellow instead of green. He was looking at the status of my domain as they were implementing it at his employer (a large Dutch bank) and was looking for an example. I must admit that I initially had no idea what DANE was, but as it was in line with my presentation, I dived into it. DANE, MTA-STS and TLS-RPT all work together, but let’s look at them separately.
Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity
By Daniel Nashed | 10/28/24, 2:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity
This might help you in some network situations and it came up today in the OpenNTF Discord chat.
TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data.
The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only.
Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default.
On Windows you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds.
A good default value would be 75 seconds like on Linux and MacOS.
Key Rollover vs Certifier rollover
By Daniel Nashed | 10/28/24, 2:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This is probably a topic many admins never really looked into and you might still run with your very old 630 key size.
Key size and certificate key size play an important role in your security and you should be aware of it.
Key Rollover
Rolling over keys is a quite normal operation.
It's a best practice to rotate keys at least when the recommended key strength changed.
Rolling over a key is client side initiated but requires an admin action.
Certifier Rollover
When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID.
For your organization certifier this will be the organization certifier itself which signs itself.
Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order.
You also have to take care of all cross certificates, Vault trust certificates.
The process is quite complex and needs planning:
Upgrading OnTime in a container | Roberto Boccadoro
By Roberto Boccadoro | 10/25/24, 5:32 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Running Domino in a container is becoming more and more popular in these days. I assume the reader is familiar with the topic, I am not going to explain how to create and run a Domino container. If you want to know more about Domino containers watch the replay of the webinar that Martijn did for OpenNTF and read his presentation.
OnTime is included in Domino, starting with Release 14, is a great tool and I encourage my readers to use it, the version included in Domino is free and very powerful.
The issue is that Intravision, creates new releases of OnTime faster that HCL creates new releases of Domino, which is obviously understandable.
For example the OnTime version included in Domino is 11.1, but the most recent is 11.5. Hence if you want to keep updated your environment, you need to upgrade OnTime.
That is easy if you run Domino on Windows or Linux native, but what if you run Domino in a container ?
Check the minimum client version for your Notes application
By Daniel Nashed | 10/25/24, 3:12 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Notes provides new functionality in Lotus Script and there also Java classes added to the client.
Lotus Script Named documents have been introduced in Notes/Domino 12.0.1.
I have just written an application which needs a Java class which is introduced in Notes 12.0.2 as it turned out.
So I came up with a simple check I am going to add to all my applications which use more current functionality.
You can drop this code into the PostOpen script of any database and switch to the right constant
Using Custom DNS Configurations With CertMgr
By Jesse Gallagher | 10/25/24, 3:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The most common way that I expect people use Domino's CertMgr/certstore.nsf is to use Let's Encrypt with the default HTTP-based validation. This is very common in other products too and usually works great, but there are cases when it's not what you want. I hit two recently.
Domino's CertMgr can handle those DNS challenges just fine, though, and the HCL-TECH-SOFTWARE/domino-cert-manager project on GitHub contains configuration documents for several common providers/protocols.
For historical reasons (namely: I didn't like Network Solutions in 2000), I use joker.com as my registrar, and they're not in the default list. Indeed, it seems like their support for this process is very much a "oh geez, everyone's asking us for this, so let's hack something together" sort of thing. Fortunately, the configuration docs are adaptable with formula (and other methods) - I'll spare you the troubleshooting details and get to the specifics.
Domino Container image custom add-on support enhancements
By Daniel Nashed | 10/14/24, 3:19 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
There is a custom add-on functionality Martijn and Roberto just blogged about this week.
https://blog.martdj.nl/2024/10/10/building-custom-add-ons-for-your-domino-container-image/
https://www.robertoboccadoro.com/2024/10/10/upgrading-ontime-in-a-container/
This was the missing trigger for me to look into it again.
It's a quite new functionality which wasn't fully documented yet.
Documentation
I have added a new documentation mark down page-->https://opensource.hcltechsw.com/domino-container/concept_custom_addons/
Building custom add-ons for your Domino container image – Martijn's Blog
By Martijn de Jong | 10/14/24, 3:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This is a post that I thought I had already written, but I realised today that I hadn’t. It’s about a feature that Daniel Nashed added to the Domino container community project in the past year and that I showed in my presentations on the Domino container project at Engage and OpenNTF. But apparently, apart from that, Daniel and I never documented it. So here it is. The documentation on how to create your own custom add-on packages for your Domino container image.
Installing Domino REST API in an existing Domino container server – Martijn's Blog
By Martijn de Jong | 10/3/24, 1:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The Domino REST API, a.k.a. DRAPI, is a requirement for running HCL Volt MX Go. On a native Domino server, it’s an add-on that you can install. The installation will install files in both a special install directory, the Domino program directory and the Domino data directory.
On a Domino server using Domino container images, you need a Domino image with the REST API included. After all, the Domino program directory is not persistent, which means that any addition to this directory that was added in the container and not in the image, is lost when the Domino container is stopped and restarted. Something that happens whenever you reboot the host machine. Luckily, the Domino container community image build tool includes the Domino REST API in the build menu, so it’s easy to add.
Linux LSOF is causing 100% CPU load inside a container in some configurations
By Daniel Nashed | 10/2/24, 4:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Linux LSOF is causing 100% CPU load inside a container in some configurations
https://blog.nashcom.de/nashcomblog.nsf/dx/ https://blog.nashcom.de/nashcomblog.nsf/feed.rss RSS - Daniel Nashed's Blog Daniel Nashed's Blog Daniel Nashed Linux LSOF is causing 100% CPU load inside a container in some configurations Linux Domino Container width=device-width, initial-scale=1.0, minimum-scale=1.0 Daniel Nashed's Blog ../nashcom.css ../dx/imprint.htm Imprint Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ... Search Search Search Search alt Daniel Nashed # Tags Tag: 64Bit ../archive?openview&title=64Bit&type=cat&cat=64Bit 64Bit Tag: ACME ../archive?openview&title=ACME&type=cat&cat=ACME ACME Tag: ACME HTTP-01 ../archive?openview&title=ACME%20HTTP-01&type=cat&cat=ACME%20HTTP-01 ACME HTTP-01 Tag: ADFS ../archive?openview&title=ADFS&type=cat&cat=ADFS ADFS Tag: AdminCentral ../archive?openview&title=AdminCentral&type=cat&cat=AdminCentral AdminCentral Tag: AIX ../archive?openvie
Disabling XPages if not needed reduces open files and HTTP start/stop time
By Daniel Nashed | 9/30/24, 4:30 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
While working on setup automation I often ran into HTTP startup challenges.
It can take up to 40-50 seconds until the HTTP task is started.
If you look at open files, you notice that each thread has more than 70 files open.
This sums up to up quite some files and the HTTP server start/stop time is much slower.
In case you don't use XPages there is a simple switch to disable the XPages run-time and only load the standard Java components.
notes.ini INotesDisableXPageCMD=1
I first had the impression Java in general would cause overhead on start. But my tests drilled down to XPages/OSGI.
Domino 14.0 FP2 IF1 installer might fail on new machines -- VCRUNTIME140 32bit is missing
By Daniel Nashed | 9/24/24, 1:06 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I ran into this today when testing and got a customer reporting this one hour later. So it was easy to reply with a root cause and solution.
Domino is a 64bit application. Therefore the Windows run-time installed with the Domino release installer is 64bit only. The Fixpack installer has no VC runtime requirements.
But it turns out the hotfix installer, which is also used for interim fixes is also a 32bit installer and has VC dependencies.
Domino does not shutdown cleanly when Windows is rebooted or shutdown
By Daniel Nashed | 9/11/24, 6:23 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When stopping the Domino service manually, the Windows service control manager (SCM) waits sufficient time to shutdown Domino cleanly.
But it turns out a Windows shutdown or reboot does not wait sufficient time for service termination.
This is critical because it would kill running Domino processes without notice. Even with transaction log enabled, this isn't a desirable situation.