Category: Domino

As of September 6, 2016, IBM has implemented hard entitlement validation on Fix Central for IBM Notes/Domino products. IBM Software Subscription and Support (S&S) will be validated through IBM ID association to IBM Customer Numbers.

More information on this TN


“Domino applications that are created from system templates that make use of Java applets, such as the Domino Directory (names.nsf), Document Library, Domino Web Server Configuration database and Widget Catalog database, will be impacted by the removal of NPAPI functionality. The Teamroom and Discussion databases created from older (pre-8.5.3) templates will be impacted as well.
Additionally, custom Notes applications that are using Java applets also may not work correctly in web browsers due to these changes.
It is recommended that you either (1) redesign the portions of the applications that use Java applets to use HTML, or (2) redesign the entire application to leverage XPages design elements.”

I think IBM will not replace any Java applet.


Nikto is an Open source web scanner released under the GPL license, which is used to perform comprehensive tests
on Web servers for multiple items including over 6500 potentially dangerous files/CGIs.

To install Nikto on Centos ;

1  yum install perl-CPAN* perl perl-Net-SSLeay openssl install perl-Time-HiRes
2  wget
3 – unzip

To run a simple test, just type ./ -h on the program folder.

This is the result from my development server

– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2016-09-01 08:43:45 (GMT-3)
+ Server: Lotus-Domino
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ IBM/Lotus Domino: Server detected based on banner or nsf retrieval.
+ IBM/Lotus Domino: Version detected at /download/filesets/l_LOTUS_SCRIPT.inf.
+ OSVDB-523: /homepage.nsf: This database can be read without authentication, which may reveal sensitive information.
+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ HTTP method: ‘PATCH’ may allow client to issue patch commands to server. See RFC-5789.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /ckeditor/ckeditor.js: CKEditor identified. This file might also expose the version of CKEditor.
+ /ckeditor/ CKEditor Changelog identified.
+ 8392 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2016-09-01 08:45:02 (GMT-3) (77 seconds)
+ 1 host(s) tested


From an IBM email received today:

As we first advised in December of 2015, Microsoft has confirmed they no longer support versions of Internet Explorer® older than the current version (Microsoft Internet Explorer® 11). We continue to allow access to our services for these non-supported versions, but effective September 24, 2016, an anticipated update to our Verse and SmartCloud Notes web applications will cause users accessing the service with un-supported browsers (versions previous to Internet Explorer® 11) to encounter issues such a missing controls (reply, forward, or other formatting tools) and other functional issues.

We encourage our clients to take immediate action by notifying their users and assisting any who use legacy versions of Microsoft Internet Explorer® to upgrade immediately.


Today i am working on a customer (after migrating 5000 users from Exchange), and i try to submit another file to integration server. Integration Server is an option to modify users on SmartCloud using text files. The file name must be <contract>_PRV_seqNum.csv

I created several TDI Assembly lines and i am using UNIX epoch time as seqNum.  When submit a file i got an error “This sequence number must be greater than xxx.”  I found that the customer submit a file using another kind of sequence, so i need to reset the seqNum.

How i do that? Just send a file with <contract>_PRV_9223372036854775807.csv.

After the number 9223372036854775807 the integration server reset the counter and the epoch as a sequence number works again.


Today i upgrade one TDI 7.1.1 JVM  to the latest fix from IBM.

The setup was easy, just unzip the file and copy to jvm directory.

When i launch an assembly line using delta.  The log file show the following error:

CTGDKE039E Error occurred when creating IBM Tivoli Directory Integrator Property store. Property store: System-Properties Exception: java.sql.SQLNonTransientConnectionException: : Error connecting to server localhost on port 1527 with message Connection refused: connect.

The derby database was not starting, and in derby.log i found:

2016-07-06 20:44:01.917 GMT : Access denied ( localhost:1527 listen,resolve) Access denied ( localhost:1527 listen,resolve)

I try everything on

The problem was related to permission. The text bellow is from

After upgrading to a JVM with these changes, while attempting to boot, the network server may fail and raise the following error:

access denied (“” “localhost:1527” “listen,resolve”) access denied (“” “localhost:1527” “listen,resolve”)

To workaround this problem, you must bring up the network server with a security policy which includes the now required missing permission. Instead of booting the network server as:

java org.apache.derby.drda.NetworkServerControl start

boot the network server as follows:

java${yourPolicyFile} org.apache.derby.drda.NetworkServerControl start

where ${yourPolicyFile} is a file containing a customized version of the policy file described in the Derby Admin Guide section titled Basic Network Server security policy. You must customize that generic policy file to fit your application. In addition, you must add the following permission to the permissions block granted to the ${derby.install.url}derbynet.jar codebase:

permission “localhost:${port}”, “listen”;

where ${port} should be replaced by the port number where the network server listens for incoming connection requests. By default, that is port 1527.

Solving the problem

I add  permission “localhost:1024-“, “listen”; to the grant session of the java.policy file and restart TDI


Connections Domino WebSphere WebSphere Portal

This technote provides information on common issues affecting users who have upgraded to IBM Verse 9.4 for Android.


Domino verse


I use the cmd + M keyboard shortcut every time i need to create a new memo on my IBM Notes. Yesterday this keyboard stopped working.

I looked at the status bar while pressing cmd +m and saw he message :

“You must first add your mail file mail/kcarvalho.nsf to the workspace”.

Screen Shot 2016-05-17 at 20.29.09

But my mail box icon was on the workspace.

Screen Shot 2016-05-17 at 20.30.41

The solution:

Yesterday i moved my mail box from mail folder to mail2 folder and add the icon to the workspace, but  the location was not updated.

Change the location to mail2\kcarvalho.nsf the keyboard shortcut works fine again 🙂

Screen Shot 2016-05-17 at 20.33.09



Domino Notes

You can use the NOTES.INI setting LOGSTATUSBAR=1 to enable logging of status bar messages to the local log file, LOG.NSF. To view the logged messages, open the file, LOG.NSF, and then click the Miscellaneous Events view. Status bar messages are appended with “Status Msg.”

To write the status bar messages to an external file, use the NOTES.INI setting Debug_Outfile=<path to file> with the NOTES.INI setting LOGSTATUSBAR=1. For example:


Domino Notes

This can be done using an agent that is run by an ID that has access and delete rights to all the mail files on the server. The email will have the same Universal ID(UNID) in all of the mail files. This will allow you to get a handle on that particular email. The example code below gets a handle to the People view of the server’s name and address book. From the person document, it obtains the mail file for the user and then opens the mail file, locates the email and removes it.

The first step is to locate the UNID. This can be found by bringing up the document properties for the email you want to remove and looking at the beanie tab:

The UNID will be the 32 characters on the first 2 lines without the OF from the first line and the ON from the second line. Also, do not include the colon : on the 2 lines. So, the UNID for the above screen shot would be – EF883FE6FC7A14D185257F8E005D7D7D

The following code is an example that can be used to accomplish this. Please note that this code is provided as an example only. IBM support will not be able to modify or customize this agent. A version of this agent will need to be run on all mail servers in your environment. It can be set to run as a scheduled agent or via action menu selection. The target in both the scheduled version and action menu selection should be set to None

Sub Initialize
Dim s As New NotesSession
Dim perdoc As NotesDocument
Dim pview As NotesView
Dim mailDB As NotesDatabase
Dim db As NotesDatabase
Dim strServerName As String
Dim doc As NotesDocument

On Error Resume next

‘Set the strServerName variable to point to your server name
strServerName = “YourServer/YourDomain”
Set db = s.Getdatabase(strServerName, “Names.nsf”, False)
Set pview = db.GetView(“($People)”)
Set perdoc = pview.GetFirstdocument
While Not perdoc Is Nothing
Set maildb = s.Getdatabase(strServerName, perdoc.Getitemvalue(“mailFIle”)(0), False)
If Not maildb Is Nothing Then
Set doc = maildb.Getdocumentbyunid(“<Target document UNID goes here>”)
If Not doc Is Nothing Then
Call doc.Removepermanently(True)
End If
End If
Set perdoc = pview.Getnextdocument(perdoc)
End Sub

I found the information above on

Domino Uncategorized

This week i am working with TDI to sync MS AD and Domino. There are several ways to sync this two ldap servers.

Searching on the web on how can i generate hundreds user accounts on the MS AD test server,  i found LDIF Generator.

This little java code generate a LDIF file and you can import using, for example, the Apache Directory Studio.