Last week a customer ask for a change in his Domino mail group management.

Some people with the right to change groups (with the role GroupModifier) made a change on several groups and a big problem arrives with mail routing to this groups.

The question was: How prevent Group Modifiers to modify some groups on Domino?

O only found one solution : Change the permission on the group document.

I created a simple agent and modify the group field “DocumentAccess” and put the Role ServerModifier. (Only admins has this role on Domino Directory) and also change the Group Owner to the group Administrators.

The simple agent is bellow.

FIELD DocumentAccess := “[ServerModifier]”;
SELECT @All

Domino

Domino

Prepare the packages for installation

1 – Download the image CIQ7TEN from Passport Advantage this is the Debian install for IBM Notes 9.0.1 and also the FP7 from fix central

2 – Expand the downloaded file using tar -xvf command

3 – Open the package bm-notes-9.0.1.i586.deb to be edited using the commands bellow

dpkg-deb -x ibm-notes-9.0.1.i586.deb common
dpkg-deb --control ibm-notes-9.0.1.i586.deb

4 – Edit the control file, inside of the folder DEBIAN and change the Pre-depends section :

Pre-Depends: gdb:i386 | gdb:amd64, coreutils:i386 | coreutils:amd64, unzip:i386 | unzip:amd64, bash:i386 | bash:amd64, procps:i386 | procps:amd64, grep:i386 | grep:amd64, sed:i386 | sed:amd64, libart-2.0-2:i386, libasound2:i386, libatk1.0-0:i386, libavahi-client3:i386, libavahi-common3:i386, libavahi-glib1:i386, libbonobo2-0:i386, libbonoboui2-0:i386, libc6:i386, libcairo2:i386, libcanberra0:i386, libcomerr2:i386, libcups2:i386, libdbus-1-3:i386, libdbus-glib-1-2:i386, libexpat1:i386, libffi6:i386, libfontconfig1:i386, libfreetype6:i386, libgail18:i386, libgcc1:i386, libgconf-2-4:i386, libgcrypt11:i386 | libgcrypt20:i386, libgdk-pixbuf2.0-0:i386, libglib2.0-0:i386, libgnome2-0:i386, libgnomecanvas2-0:i386, libgnome-keyring0:i386, libgnomeui-0:i386, libgnomevfs2-0:i386, libgnutls26:i386 | libgnutls30:i386, libgpg-error0:i386, libgssapi-krb5-2:i386, libgtk2.0-0:i386, libhunspell-1.3-0:i386, libice6:i386, libjpeg62:i386, libk5crypto3:i386, libkeyutils1:i386, libkrb5-3:i386, libkrb5support0:i386, libltdl7:i386, libnspr4:i386, libnspr4-0d:i386, libnss3:i386, libnss3-1d:i386, libogg0:i386, liborbit2:i386, libp11-kit0:i386, libpam0g:i386, libpango1.0-0:i386, libpcre3:i386, libpixman-1-0:i386, libpng12-0:i386, libpopt0:i386, libselinux1:i386, libsm6:i386, libstdc++6:i386, libtasn1-3:i386 | libtasn1-4:i386 | libtasn1-5:i386 | libtasn1-6:i386, libtdb1:i386, libuuid1:i386, libvorbis0a:i386, libvorbisfile3:i386, libx11-6:i386, libxau6:i386, libxcb1:i386, libxcb-render0:i386, libxcb-shm0:i386, libxcomposite1:i386, libxcursor1:i386, libxdamage1:i386, libxdmcp6:i386, libxext6:i386, libxfixes3:i386, libxft2:i386, libxi6:i386, libxinerama1:i386, libxml2:i386, libxrandr2:i386, libxrender1:i386, libxss1:i386, libxt6:i386, libxtst6:i386, zlib1g:i386, unity-gtk2-module:i386, libcanberra-gtk-module:i386, libxss1:i386, gtk2-engines-murrine:i386, p11-kit-modules:i386, libp11-kit-gnome-keyring:i386, ttf-xfree86-nonfree:i386 | ttf-xfree86-nonfree:amd64, libz1:i386, libgconf2-4:i386, libxkbfile1:i386, libgnome-desktop-2 | libgnome-desktop-2-7 | libgnome-desktop-2-11 | libgnome-desktop-2-17 | libgnome-desktop-3-2 | libgnome-desktop-3-12, libidl-2-0:i386, libpangox-1.0-0:i386, libpangoxft-1.0-0:i386, libasound2-plugins:i386, libgail-common:i386, libatk-adaptor:i386, overlay-scrollbar-gtk2:i386 | overlay-scrollbar-gtk2:amd64

5 – Rebuild the package using the commands:

cp -a DEBIAN common
dpkg -b common ibm-notes-9.0.1.i586.deb

6 – Delete the folders common and DEBIAN

7 – Open the Sametime package for edition:

dpkg-deb -x ibm-sametime-9.0.1.i586.deb common
dpkg-deb --control ibm-sametime-9.0.1.i586.deb

8 – Edit the control file, inside of the folder DEBIAN and change the Pre-depends section :

Pre-Depends: ibm-notes, alsa-base, alsa-utils:i386 | alsa-utils:amd64 , iproute:i386 | iproute2:i386 | iproute:amd64 | iproute2:amd64

9 – Rebuild the package using the commands:

cp -a DEBIAN common
dpkg -b common ibm-sametime-9.0.1.i586.deb

remove common and DEBIAN folders

10 – Optional – Brazilian Portuguese Language:

dpkg-deb -x ibm-notes-core-ptbr-9.0.1.i586.deb common
dpkg-deb --control ibm-notes-core-ptbr-9.0.1.i586.deb

Edit the file control inside the DEBIAN folder and remove the the following line:

Depends: ibm-notes-nl1 (= 9.0.1-20131022.1138)

Rebuild the package

cp -a DEBIAN common
dpkg -b common ibm-notes-core-ptbr-9.0.1.i586.deb

Remove common and DEBIAN folders.

Prepare Ubuntu to install IBM Notes 9.0.1 FP7

Install Synaptic. We need to install some packages

sudo apt-get install synaptic

Start Synaptic and go to Settings -> Repositories -> Other software

Add the following URI for the repository:

deb http://archive.ubuntu.com/ubuntu/ raring main restricted universe multiverse

Close Synaptic. It will ask to reload the repositories and maybe you get the index reporitory error, you can ignore it.

run on terminal:

sudo apt-get update

sudo apt-get install libart-2.0-2:i386 libasound2:i386 libatk1.0-0:i386 libavahi-client3:i386 libavahi-common3:i386 libavahi-glib1:i386 libbonobo2-0:i386 libbonoboui2-0:i386 libc6:i386 libcairo2:i386 libcanberra0:i386 libcomerr2:i386 libcups2:i386 libdbus-1-3:i386 libdbus-glib-1-2:i386 libexpat1:i386 libffi6:i386 libfontconfig1:i386 libfreetype6:i386 libgail18:i386 libgcc1:i386 libgconf-2-4:i386 libgdk-pixbuf2.0-0:i386 libglib2.0-0:i386 libgnome2-0:i386 libgnomecanvas2-0:i386 libgnome-keyring0:i386 libgnomeui-0:i386 libgnomevfs2-0:i386 libgpg-error0:i386 libgssapi-krb5-2:i386 libgtk2.0-0:i386 libhunspell-1.3-0:i386 libice6:i386 libjpeg62:i386 libk5crypto3:i386 libkeyutils1:i386 libkrb5-3:i386 libkrb5support0:i386 libltdl7:i386 libnspr4:i386 libnspr4-0d:i386 libnss3:i386 libnss3-1d:i386 libogg0:i386 liborbit2:i386 libp11-kit0:i386 libpam0g:i386 libpango1.0-0:i386 libpcre3:i386 libpixman-1-0:i386 libpng12-0:i386 libpopt0:i386 libselinux1:i386 libsm6:i386 libstdc++6:i386 libtasn1-6:i386 libtdb1:i386 libuuid1:i386 libvorbis0a:i386 libvorbisfile3:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 libxcb-render0:i386 libxcb-shm0:i386 libxcomposite1:i386 libxcursor1:i386 libxdamage1:i386 libxdmcp6:i386 libxext6:i386 libxfixes3:i386 libxft2:i386 libxi6:i386 libxinerama1:i386 libxml2:i386 libxrandr2:i386 libxrender1:i386 libxss1:i386 libxt6:i386 libxtst6:i386 zlib1g:i386 unity-gtk2-module:i386 libcanberra-gtk-module:i386 libxss1:i386 gtk2-engines-murrine:i386 p11-kit-modules:i386 libp11-kit-gnome-keyring:i386 ttf-xfree86-nonfree gdb iproute2 libgconf2-4:i386 libxkbfile1:i386 lib32ncurses5 lib32z1 libidl-2-0:i386 libpangox-1.0-0:i386 libpangoxft-1.0-0:i386 libasound2-plugins:i386 libgail-common:i386 overlay-scrollbar-gtk2 libgnome-desktop-3-12:i386 libatk-adaptor:i386 libgcrypt20:i386 libgnutls30:i386

Install IBM Notes 9.0.1

dpkg -i ibm-notes-9.0.1.i586.deb
dpkg -i ibm-sametime-9.0.1.i586.deb

For Brazilian Portuguese only:
dpkg -i ibm-notes-core-ptbr-9.0.1.i586.deb

After you install and configure the IBM Notes 9.0.1 close the client and install the FP7 using the command:

dpkg -i ibm_notes_fixpack-9.0.1.i586.deb

Many thanks to Felipe Paixão. He works hard to make this setup guide.

Domino Notes

Barry and Uffe will review the latest updates on IBM Notes and Domino as well as IBM Verse On-premises and related Cloud solutions. They will discuss the future directions and support for IBM Notes and Domino and the deliverables over the next 12 to 18 months as IBM transitions to using Feature Packs for delivering future enhancements. Plus, Martin Donnelly will discuss IBM’s plans for XPages enhancements.

There will be time for questions and answers at the end of their presentation.

November 3rd – 10:30 A.M. to 12:00 P.M. Eastern U.S. time. Register here

Domino

I upgrade from El Capitain and Notes 9.0.1 IF4 works fine for me. Yesterday IBM launch the FIX5 for Notes on MAC and will support macOS Sierra

Some information from the TN about the fix 5:

IBM Notes 9.0.1 64-bit running 9.0.1 Interim Fix 5 or above supports macOS Sierra and OS X 10.11. IBM clients can open Service Requests running this release.
Full certification of macOS Sierra will be completed by end of October 2016 or approximately 30 days after the general release of macOS Sierra.

IBM Client Application Access (ICAA) 1.0.0.1 Feature Pack 1 due out in November 2016 will support macOS Sierra.

Domino fix

MacOS Sierra will be available on 20 September for the general public. I search yesterday and today on the system requirements for Notes on MAC and i not found any information.

Anyone knows if the current version of Notes for MAC will run on Sierra?

Domino Notes

As of September 6, 2016, IBM has implemented hard entitlement validation on Fix Central for IBM Notes/Domino products. IBM Software Subscription and Support (S&S) will be validated through IBM ID association to IBM Customer Numbers.

More information on this TN

Domino

“Domino applications that are created from system templates that make use of Java applets, such as the Domino Directory (names.nsf), Document Library, Domino Web Server Configuration database and Widget Catalog database, will be impacted by the removal of NPAPI functionality. The Teamroom and Discussion databases created from older (pre-8.5.3) templates will be impacted as well.
Additionally, custom Notes applications that are using Java applets also may not work correctly in web browsers due to these changes.
It is recommended that you either (1) redesign the portions of the applications that use Java applets to use HTML, or (2) redesign the entire application to leverage XPages design elements.”

I think IBM will not replace any Java applet.

Domino

Nikto is an Open source web scanner released under the GPL license, which is used to perform comprehensive tests
on Web servers for multiple items including over 6500 potentially dangerous files/CGIs.

To install Nikto on Centos ;

1  yum install perl-CPAN* perl perl-Net-SSLeay openssl install perl-Time-HiRes
2  wget https://github.com/sullo/nikto/archive/master.zip
3 – unzip master.zip

To run a simple test, just type ./nikto.pl -h 192.168.10.74 on the program folder.

This is the result from my development server

– Nikto v2.1.6
—————————————————————————
+ Target IP:          192.168.10.74
+ Target Hostname:    192.168.10.74
+ Target Port:        80
+ Start Time:         2016-09-01 08:43:45 (GMT-3)
—————————————————————————
+ Server: Lotus-Domino
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IBM/Lotus Domino: Server detected based on banner or nsf retrieval.
+ IBM/Lotus Domino: Version 9.0.0.0 detected at /download/filesets/l_LOTUS_SCRIPT.inf.
+ OSVDB-523: /homepage.nsf: This database can be read without authentication, which may reveal sensitive information.
+ Allowed HTTP Methods: GET, HEAD, POST, TRACE, PUT, DELETE, OPTIONS, PATCH
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ HTTP method: ‘PATCH’ may allow client to issue patch commands to server. See RFC-5789.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /ckeditor/ckeditor.js: CKEditor identified. This file might also expose the version of CKEditor.
+ /ckeditor/CHANGES.md: CKEditor Changelog identified.
+ 8392 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2016-09-01 08:45:02 (GMT-3) (77 seconds)
—————————————————————————
+ 1 host(s) tested

Domino

From an IBM email received today:

As we first advised in December of 2015, Microsoft has confirmed they no longer support versions of Internet Explorer® older than the current version (Microsoft Internet Explorer® 11). We continue to allow access to our services for these non-supported versions, but effective September 24, 2016, an anticipated update to our Verse and SmartCloud Notes web applications will cause users accessing the service with un-supported browsers (versions previous to Internet Explorer® 11) to encounter issues such a missing controls (reply, forward, or other formatting tools) and other functional issues.

We encourage our clients to take immediate action by notifying their users and assisting any who use legacy versions of Microsoft Internet Explorer® to upgrade immediately.

Domino

Today i am working on a customer (after migrating 5000 users from Exchange), and i try to submit another file to integration server. Integration Server is an option to modify users on SmartCloud using text files. The file name must be <contract>_PRV_seqNum.csv

I created several TDI Assembly lines and i am using UNIX epoch time as seqNum.  When submit a file i got an error “This sequence number must be greater than xxx.”  I found that the customer submit a file using another kind of sequence, so i need to reset the seqNum.

How i do that? Just send a file with <contract>_PRV_9223372036854775807.csv.

After the number 9223372036854775807 the integration server reset the counter and the epoch as a sequence number works again.

Domino

Today i upgrade one TDI 7.1.1 JVM  to the latest fix from IBM.

The setup was easy, just unzip the file and copy to jvm directory.

When i launch an assembly line using delta.  The log file show the following error:

CTGDKE039E Error occurred when creating IBM Tivoli Directory Integrator Property store. Property store: System-Properties Exception: java.sql.SQLNonTransientConnectionException: java.net.ConnectException : Error connecting to server localhost on port 1527 with message Connection refused: connect.

The derby database was not starting, and in derby.log i found:

2016-07-06 20:44:01.917 GMT : Access denied (java.net.SocketPermission localhost:1527 listen,resolve)
java.security.AccessControlException: Access denied (java.net.SocketPermission localhost:1527 listen,resolve)

I try everything on  http://www-01.ibm.com/support/docview.wss?uid=swg21450475

The problem was related to permission. The text bellow is from https://db.apache.org/derby/releases/release-10.10.2.0.html

After upgrading to a JVM with these changes, while attempting to boot, the network server may fail and raise the following error:

access denied (“java.net.SocketPermission” “localhost:1527” “listen,resolve”) java.security.AccessControlException: access denied (“java.net.SocketPermission” “localhost:1527” “listen,resolve”)

To workaround this problem, you must bring up the network server with a security policy which includes the now required missing permission. Instead of booting the network server as:

java org.apache.derby.drda.NetworkServerControl start

boot the network server as follows:

java -Djava.security.manager -Djava.security.policy=${yourPolicyFile} org.apache.derby.drda.NetworkServerControl start

where ${yourPolicyFile} is a file containing a customized version of the policy file described in the Derby Admin Guide section titled Basic Network Server security policy. You must customize that generic policy file to fit your application. In addition, you must add the following permission to the permissions block granted to the ${derby.install.url}derbynet.jar codebase:

permission java.net.SocketPermission “localhost:${port}”, “listen”;

where ${port} should be replaced by the port number where the network server listens for incoming connection requests. By default, that is port 1527.

Solving the problem

I add  permission java.net.SocketPermission “localhost:1024-“, “listen”; to the grant session of the java.policy file and restart TDI

 

Connections Domino WebSphere WebSphere Portal