09-05-2016

IBM Domino 9.0.1 Fix Pack installler quits without error on Ubuntu Server 16.04

Tags: domino linux ubuntu 16.04 perl installer fix pack fixpack defined(@array
I recently had to reinstall my system because I  chose to ignore smartd's emails nagging me about unrecoverable errors a bit too long.
The system disk that inevitably died before I could grab an image provided me with an opportunity to install the latest & greates Ubuntu LTS release (16.04), and yes, I know, Ubuntu (server) is not a supported platform.

How hard can it be right? Install OS, install Domino, Traveler and fix packs, been there, done that etc.
Well... I got as far as installing Domino 9.0.1 and Traveler 9.0.1 and then things got interesting.
...

05-07-2015

How to create a Domino keyring for a SHA2+ certificates

Tags: keyring kyrtool x509 ssl certificate openssl domino sha2
When creating the CSR directly through the SSL Vendor's website you need to combine the key and certificate into the Domino keyring file, and when the private key is not in RSA format it needs to be converted.

This post is based on my experience with a certificate created through TransIP's website.

After creating the request I received a .zip file which contained the following:

Cabundle.crt
Certificate.crt
Certificate.key
Certificate.p7b

To create a new Domino keyring using kyrtool use the following command:

Kyrtool create –k c:\cert\keyfile.kyr -p password

Unfortunately the certificate.key file provided by TransIP is not in RSA format which is not supported by kyrtool.
In this case the format was easily determined by looking at the first line of the file, instead of starting with ------BEGIN RSA PRIVATE KEY----- the file started with  ------BEGIN ENCRYPTED PRIVATE KEY------

...

05-07-2015

Importing a new SHA2+ certificate into Domino keyring based on existing CSR

Tags: sha2 keyring kyr openssl certificates domino import howto
When you renew an existing server certificate using the existing CSR for example to upgrade from the weak SHA1 cypher, the following commands will allow you to import the new server certificate into the existing Domino keyring file.

Requirements:

IBM Domino server running 9.0.1FP3+
IBM Notes clinet running 9.0.1FP3+
The 'new'  keyring tool from www.ibm.com/support/fixcentral (901FP3IF_Keytool.zip)
The new certificate file from your certificate vendor and certificates for all signers in the certificate chain
Access to the keyring files (both .kyr and .sth)


...

04-23-2015

Creating a sha2+ keyring with Domino CA signed certificate

Tags: SHA2 Domino CA keyring ca process kyrtool
Ever wondered how to use the new keyring tool with your Domino based Internet Certificate Authority?

This should work

First we create a new keyring using the 'new'  kyrtool

kyrtool create -k c:\ibm\keyring.kyr -p mypassword

Then we create a private key and csr using openssl

openssl genrsa -out server.key 4096
openssl req -new -sha256 -key server.key -out server.csr

Open the certificate request database of your Domino based internet CA in your browser and select 'Request server certificate'  and paste the contents of server.csr and click submit to request the certificate.

Once the certificate has been signed, pick it up in the browser using the pickup id (you should have received this ID by email)

Select RAW format and copy paste into a file, in  this example server.cer

Next we combine the private key, the signed certificate and CA certificate into a single file.

copy server.key+server.cer+cacert.cer combined.txt

(cacert.cer = base64bit encoded )

Finally we import this combined file into the Domino keyring

kyrtool import all -k c:\ibm\keyring.kyr -i combined.txt

03-21-2015

Fun with OSX Storage or How to upgrade to a larger boot disk

Tags: Apple MacBook OSX CoreStorage physical volume resizing increase physical volume howto
Recently I bought a larger SSD for my wife's  2011 MacBook Pro and to avoid having to reinstall everything I created an image of the original SSD using my Ubuntu laptop.
I restored the image onto the new drive,  using gParted I then moved the Recovery Partition to the end of the disk to free space directly following the main OSX partition.
This left only one more thing, to resize the actual OSX partition to use the full size of the new drive.

Unfortunately this wasn't so easy as I first thought.
The tools available to me on my Linux system didn't quite seem up to the task, so I put the drive into the MacBook Pro, and booted into Recovery Mode (Command-R).
No problem there, the Disk Utility saw the drive, but flat out refused to resize it. I could create a new partiition in the unused space, but that wasn't quite what we had in mind.

In recovery I then opened up a terminal window.

The command "diskutil list" showed the full size of the drive and "diskutil cs list" showed there was a smaller physical volume containing  a logical volume "Macintosh HD"

A few Google queries later I found my self trying the (undocumented) diskutil resizedisk / diskutil cs resizevolume commands but both returned errors.

Edit: the command diskutil cs resizedisk returned:  this operation couldn't proceed because the target's boot helper was mounted

After a couple of iterations where I fine tuned my Google query I ended up with the following.
...

01-21-2015

Error during server based archiving using -DAOS ON commandline parameter.

Tags: Lotus Domino 9.0.1 ODS52 SPR # BBSZ9QDK4P
Recently ran into an archiving problem at a customer after upgrading to Domino R9.0.1 FP2 and ODS52:

17/01/2015 12:01:15 Archiving documents from mail\jdoe.nsf (John Doe)                                                              
17/01/2015 12:01:15 Informational, cannot enable DAOS in database mail\jdoe.nsf with ODS version 52.                                  
17/01/2015 12:01:15 Error archiving documents from mail\jdoe.nsf: Informational, DAOS is already enabled in database %p.|Informational, DAOS has been enabled for database %p.|Informational, DAOS is enabled in database %p.|Informational, cannot enable DAOS in database %p with ODS version %d.                                                        
17/01/2015 12:01:15 Informational, DAOS is already enabled in database mail\jdoe.nsf.                                                      
17/01/2015 12:01:15 Informational, to move objects into DAOS and enable DAOS you need to perform a copy-style compaction with the -daos tag (-C -daos on) on mail\jdoe.nsf.        

Talked to an IBM support rep and he informed me that this is a known issue covered in SPR # BBSZ9QDK4P
Fix probably will not make it into FP3 which is scheduled for Q1, more likely that this will be fixed in 9.0.2

In the mean time archiving will work normally withouth the -daos on parameter, but you'll have to manually check and if necessary enable DAOS for new archives to reduce storage requirements.



10-27-2014

Installing Lotus Notes 9.0.1 in 64-bit Ubuntu 14.04

Tags: ubuntu linux lotus notes 9.0.1
Download the installer from Partnerworld/Passport Advantage andunpack into a temp directory.

Unfortunately, there are some dependency problems on 64 bit Ubuntu Linux that prevent installation of the Notes client.

$ cd Downloads
$ mkdir n901
$ cd n901
$ tar -xvf ../NOTES_9.0.1_LINUX_DI_EN.tar

...

06-13-2014

[There is no RPC service named Account ] error on BlackBerry 10 device after activation

Tags: BlackBerry BlackBerry Enterprise Service 10 BES 10 Traveler activation error activation lotus
For those still supporting BlackBerry devices...

I recently ran into this problem while activating a new BB 10 device at a customer site. (BES 10 in combination with IBM Notes Traveler 9.0.1)

Steps to reproduce:
- create new user in the BES admin interface
- activate the device
- enter Domino webmail password on device when prompted by BB Hub

After a while this error appears.
I have found this KB document which http://www.blackberry.com/btsc/KB35447 contains instructions on how to redeploy the email profile but this not fix the issue.

The cause in my case was that the user was not a member of the group that's allowed access to the Traveler server - too bad the error message wasn't more descriptive or it would have saved me quite a bit of time.

P.S. Is it just me or is the BB Q5 slooooooooooooooooooooooooooow


08-03-2012

The fixup that didn't

Tags: Lotus Domino fixup corrupt database 8.5 8.5.x
After a problem at a customer with a corrupt database which could not be fixed by the fixup task, (the database kept reporting that a consistency check was in progress) one of my coworkers contacted IBM who eventually gave him the following bit of information

There is a known issue where fixup does not delete the bad document: SPR # TSOE8KCJCP - Fixup does not repair corrupt database

Setting the following ini variable should allow fixup to continue on the error.

DEBUG_FIXUP_DELETE_ERRORS_INCLUDE=2B8,227

The SPR is a regression that was introduced in 8.5.1 and the last known release where it worked is 8.5 . So if the workaround does not work, try to run fixup on a 8.5 server to see if the database is cleaned up.

02-21-2012

Domino 8.5.3 mailfile move does not create correct redirect file

Tags: Lotus Domino 8.5.3 adminp redirect file nrf move user
A customer is in the process of moving users to their new environment where the user's mailfile location is different from the old environment (i.e. mail\username.nsf -> mail\ou\username.nsf).

AdminP creates the mailfile in the correct location on the new server and updates the person document accordingly.
Sofar so good.

Once the administration process removes the old  mailfile replicas some users start complaining that they can no longer access their mailfile.

Further investigation shows that the location document on the client is updated with the correct new location of the mailfile, however the standard client is rather persistent in trying to open the mailfile from the old location. This is where the redirect file should kick in.
Unfortunately, the mail\username.nrf on the old server points to mail\username.nsf on the new server instead of mail\OU\username.nsf, resulting in a popup on the client asking the user where the client should start looking for the mailfile.

Manually updating the .nrf file so it points towards the correct location fixes the issue for the users.