Professional Documents
Culture Documents
Domino Administrator
Domino Administrator
3
What's new in IBM Lotus Domino Administrator and Server 8.5.3?
This topic describes the new features of the IBM Lotus Domino server and Domino Administrator client in release 8.5.3, and where you can find more information about them. It also describes new Domino Administrator functionality for IBM Lotus Notes installation and upgrade, Notes roaming user, and Notes Widgets and Live Text. In addition, the embedded version of Sametime installed with Notes in 8.5.3 has been upgraded from 8.0.2 to 8.5.1.
To address this limitation, you can now apply policy settings based on characteristics of a client user's machine. Different policy settings can be applied on each machine a user runs; for example, you could allow the creation of a managed replica only on laptops. Machinespecific settings can also allow server administrators to determine what policy settings to enforce, based on the specific attributes of the machine on which the Lotus Notes client is running. Some possible attributes may include; version and type of OS, type of machine, basic or standard client, notebook, desktop, and so on. Machine-specific policy settings are supported by a new @Function (@GetMachineInfo), which improves the policy handling characteristics in the 8.5.3 client, by changing policy settings forms in the template, and by adding formulas for the policy settings. For more information about the new @function, see the Domino Designer documentation. For details on the new policy settings, see the linked technotes.
Technote #1501673: Machine-specific policy settings Technote #1474598: Adding New Machine Specific Policy Settings to pubnames.ntf
Administrators can specify new mail arrival notification using desktop policy The desktop policy includes an option for enforcing a new Lotus Notes client 8.5.3 preference for arrival of new mail, Slide in a summary; the preference briefly shows the client user a small slide-in window announcing a new message. You can make this preference part of a desktop policy by enabling the optionWhen new mail arrives, slide in summary in the desktop policy settings document on the Preferences > Mailtab. Your Domino server must be using the 8.5.3 pubnames.ntf design. For details on the new policy setting, see the linked technote.
Technote #1447014: 8.5.3 newmail popup feature requires 8.5.3 mail template for optimal function
New Server.Load workload scripts Server.Load now includes the following workload scripts. The DWA85 Initialization workload creates and populates mail databases in preparation for running either the DWA85 workload or the DWA85Lite workload. The DWA85 workload models an active user on an iNotes85 client in Full Mode performing various Mail, Calendaring, and Folder operations on their mail database. An average user runs this script four times per hour. The DWA85Lite workload models an active user on an iNotes85 client performing various Mail, Calendaring, and Folder operations on their mail database. An average user runs this script four times per hour. For details on the new scripts, see the linked technote.
Technote #1504983: Server.Load workload scripts: DWA85 Initialization, DWA85, and DWA85Lite
Improvements and changes to Administrator templates See the following technote for any additional improvements and changes in supplied templates for the Domino Administrator Client, such as the Domino Directory (pubnames.ntf) template.
Technote #1501675: Purge Interval Replication Control (PIRC) prevents unwanted replication of deleted documents
Subject prefixes (such as "Re:") are ignored when sorting on subjects, improving the results of sorting by subject. When sorting a view, the view pivots on the selected entry; that is, the selected entry maintains selection in the newly sorted view.
If administrators enable alternate name support, ultra-light mode users can display and send mail to alternate names. Ultra-light mode users can enable a prompt that hides or shows remote images in messages, allowing users to hide the images if they do not trust the source. Administrators can manage this preference through policies. Ultra-light mode now supports the iNotes_WA_ReadAttachments notes.ini setting and the Disallow attachments if not installed server configuration document Browser Cache Managementsetting. Administrators can use these settings to prevent attachment downloads from all modes.
Additionally, support has been added for a new notes.ini setting, iNotes_WA_MobileReadAttachments, which follows the same pattern as the iNotes_WA_ReadAttachments notes.ini setting. Administrators can use this setting to prevent attachment downloads strictly for mobile device clients. Sametime integration This release provides an update to the Sametime Proxy Server that is needed if you want to benefit from the Sametime Proxy Server Web 2.0 experience in Lotus iNotes. This update requires at least Sametime version 8.5.2. The Sametime Proxy Server provides Lotus iNotes clients with an updated feature-rich Contact List and Chat UI, and eliminates the need for a JVM on the client for these services. The Sametime Proxy Server is a self-contained WebSphere application that can easily be added to an existing iNotes/Sametime deployment with minimal configuration changes. For a new deployment, a minimum of three servers must be installed, one each for: iNotes, Sametime, and Sametime Proxy. To configure iNotes integration with the Sametime Proxy Server, go to the Server Configuration document, then Lotus iNotes tab, and choose the directory type selected during Sametime server setup and installation in the Directory type used by IBM Lotus Sametime server field. Then add these notes.ini settings to your Domino server: Minimum settings using authentication to Sametime Proxy by token iNotes_WA_SametimeProxy=1 iNotes_WA_SametimeProxyServer=http://STProxyServer.com:port (Use the port that was set up by the proxy server. The default is 9080.)
Optional Notes.ini settings To authenticate with the Sametime Proxy using Username/Password rather than by token: iNotes_WA_SametimeProxyLogin=1 To support secure SSL connections:
iNotes_WA_SametimeProxyServerSSL=https://STProxyServer.com:port (Use the port that was set up by the proxy server. The default is 9443.) You can also set the values using policy settings and the Server Configuration document. Support for importing contacts from non-English CSV files Users exporting contacts to a non-English CSV file can then import that data using the iNotes Import Contacts feature. New mail delivery option To prevent recipients of a mail message from seeing the membership of a personal group receiving the message, you can use the new Do not expand personal groups delivery option. This prevents expansion of the personal group in the received message. Improved autoprocessing of meeting updates iNotes users can employ the new calendar display preferences When I add or remove meeting invitees, update the other participants and Automatically process meeting updates and apply changes to meetings to improve the handling of meeting updates
Technote #1459627: Using the Lotus Notes single user to multi-user migration assistant tool
Lotus Notes Install Cleanup Executable (NICE) You can use the supplied Notes Install Cleanup Executable (NICE) tool to clean up a failed installation, failed uninstall or failed upgrade. You can also use the tool to uninstall an existing version of Notes, and clean up extraneous files, before performing an upgrade installation. The tool is available for Lotus Notes 8.x installations on supported Windows platforms only and must be run as an administrator.
Technote #1459714: Using the Lotus Notes Install Cleanup Executable (NICE) tool
Adding and removing components from the Notes install kit using the UpdateSiteMgr tool The Notes install kit's trimUpdateSite and addToKit customization tools have been merged into a single UpdateSiteMgr tool. The addToKit and trimUpdateSite tools are no longer supplied. The UpdateSiteMgr tool is supplied as UpdateSiteMgr.exe in the kit customization compressed file in the deploy\Utility folder. This tool is used in command-line mode only. Based on command-line options, you can use the tool to add or remove named components from the Notes install kit. Functionality is essentially identical to the trimUpdateSite and addToKit tools. For more details, see the linked technote.
Technote 1459716: Adding and removing components from the Notes install kit using UpdateSiteMgr tool
In addition, an ID Vault policy can now prevent password prompts from other Notes-based applications. Notes client users are able to select the option Don't prompt for a password from other Lotus Notes-based programs (reduces security) in their login and password settings. In this release, you as the Domino administrator can enable this option for multiple users in the Security policy, ID vault tab, Password Management Basics tab. Integrated Windows authentication (IWA)for Eclipse-based clients You can use Integrated Windows Authentication for supplied and third-party Eclipse-based client applications, enabling SPNEGO authentication for integrated Notes application clients. This includes Notes and its embedded Eclipse-based features such as Widgets and Live Text, Feeds, IBM Connections, and Composite Applications as well as embedded Sametime and embedded Symphony. It also includes adjunct products that are based on Eclipse but not embedded within Notes, such as IBM WebSphere Portal with SiteMinder and stand-alone IBM Connections 3.0 with SiteMinder. IWA is an authentication protocol that allows users to achieve single sign-on using the Windows credentials of the currently logged in user. SPNEGO is one mechanism of IWA that allows the client and server to negotiate which authentication protocol to use. These protocols are limited to NTLM and Kerberos. For more details, see the linked technote.
Technote #1459717: Integrated Windows authentication (IWA) for Eclipse-based clients, including Lotus Notes, Symphony, and Sametime
Tivoli Access Manager and SiteMinder form-based authentication changes Tivoli Access Manager and SiteMinder form-based authentication type accounts used for single sign-on are now subject to additional checks. By default, the login form on the authentication server must be accessed using SSL and the server must be contained in a list of trusted sites. The Accounts preference page has been enhanced to include the ability to change these settings. A Preferences > Accounts > Trusted Sitespreference page is also provided on the client. For more details, see the linked technote.
Technote #1459738: Tivoli Access Manager and SiteMinder form-based authentication changes for Notes accounts
Public Widget Provider APIs A set of public APIs is available that developers can use to create custom widget types for use with either supplied or custom applications. After deploying the plug-in containing the new widget type, the new widget types can then be disabled or enabled for users in the same way as the supplied widget types (using either Domino policy or a plugin_customization.ini file). Power users can then create widgets of these additional widget types and deploy them to other users. For more details, see the linked technote.
BRMS enhancement NSD enhancements KeyView Copy DA replica to new server CFGDOMSVR *REMOVE enhancement Setup.exe on i 7.1 with cumulative PTFs or i 7.1b
Tech Note #1437957: Configuring managed replicas using the Desktop Settings document
Email interoperability and HTML font size An issue with dynamically increasing HTML text font size in Lotus Notes mail messages has been resolved. As part of this solution, the "HTML Size" value set in the Configuration settings policy document is now ignored; the value is fixed at 12. For reference, navigation to this setting is as follows: 1. From the Domino Administrator, click the Configuration tab, expand the Messaging section, and click Configurations. 2. Select the Configuration Settings document for the desired mail server and click Edit Configuration. 3. Click the MIME - Settings by Character Set Groups tab. The option is available in the Inbound Message Options - Font Options section.
also use these managed accounts to meet authentication needs for embedded browser-based components such as Feeds, Widgets, and so on. For details, see the linked technote.
Corrupt Database Collection A facility to automatically collect corrupt databases has been introduced. This facility allows corrupt databases to be collected without bringing down the Domino server. In some cases, the cause of database corruption may be determined by examining the database in the corrupt state. For details, see the linked technote.
DAOS enhancement for archive databases The behavior of compact options is changed when compact options for DAOS and archiving are used in combination. You can use a combination of options to DAOS-enable a newly created archive database. For details, see the linked technote.
Space Used column In 8.5.1 the Space Used column was removed from the Flies tab in the Domino Administrator client, but in 8.5.2 it is visible again. It will display a value of "N/A" when there is no current calculation of its value. For performance reasons, used space in a Notes database is not continuously tracked or calculated frequently. It is calculated only in the following cases: A user clicks the "% used" button on the "i" tab in the database's Properties box. The Notes database is compacted to reduce the file size. Fixup is run on the Notes database. The server that hosts the Notes database is set to enforce database quotas using the "Check space used in file when adding a note" quota enforcement method. Note: If the administrator is using "Check space used in file when adding a note" as the quota enforcement method, and none of the other actions are performed, Space Used is calculated only once daily. Changes to templates The design templates for the Directory Assistance database and the Resource Reservations database both have additional or modified options for administrators, described in the following technotes:
Tech Note # 1430859: Directory Assistance template changes Tech Note # 1442724: Managing automatic notices to owners of rooms/resources
Tech Note #1429892: Monitoring slow or unresponsive databases with the Domino Diagnostic Probe
Ultra-light mode support for right-to-left languages Ultra-light mode now supports right-to-left languages based on the device or browser language setting. However, this does not include support for the new Bidirectional settings preference. New language preference Users can use the Language Setting preference to change the display language for iNotes. If Use Defaultis selected, the browser language is used. Add Sametime meeting information to invitations Users can now include their Sametime meeting information on the invitation when they schedule meetings. They can select the type of meeting used by their organization (including a Sametime Classic, Sametime 8.5, or third-party meeting), and save it as the default online meeting. Then, when they create meetings, this information is pre-populated on the meeting invitation form. Over quota checking feature Optionally, users will not be able to create new messages or calendar entries when their mailbox size reaches its quota. Mark Subject Confidential feature This new delivery option allows users to mark the subject of a message as confidential. Apple iPad support Apple iPad running firmware version 3.2.x is supported. Android OS support Smartphones running Google Android version 2.1.x in WVGA resolution are supported. Thai language support The Thai language is now supported for PDF printing.
Changes to SELECTINSTALLFEATURES command line argument behavior The SELECTINSTALLFEATURES command line argument for feature installation and removal has been deprecated and is no longer enabled to remove installed Notes features. For details, see the linked technote. Notes preloader for improved Notes performance A Notes preloader can be configured to run at OS startup. The preloader allows for faster Notes client startup by preloading some required Notes libraries when the OS is started. For details, see the linked technote.
Tech Note #1421639: Double-byte and special character restrictions on Notes installation directory names Tech Note #1433717: Verbose logging and log file for Notes install Tech Note #1423124: Feed Reader option for Notes install and upgrade Tech Note #1424066: ADDFEATURES and REMOVEFEATURES MSI command line arguments for Notes silent reinstall or upgrade Tech Note #1424486: Notes command line argument SELECTINSTALLFEATURES no longer removes installed features Tech Note #1424193: Lotus Notes preloader
8.5 8.5.1
For information on new features in Lotus Domino 8.0, see the "What's new.." topics in the Domino 8.0 Administrator section of the Domino and Notes Information Center.
Support for pushing managed settings is now available using the Custom Settings tab on the Domino desktop policy settings. This enables you to push both Lotus-supplied and custom Domino policy, Eclipse preferences, and notes.ini settings during client install or upgrade, including deployment of Notes client features and plug-ins using widget deployment methods. A new topic describing the process of updating a deployed Notes feature and plug-in has been added. A new "Use the "Bypass approval..." option on the Remove Roaming Profile dialog is available for automating the removal of roaming databases whenever a user is downgraded from roaming to non-roaming. The Notes user workspace can now participate in roaming. Domino roaming for the IBM Lotus Notes standard configuration user is introduced in this release as are two new roaming specific databases, a feeds subscription database and an Eclipse plug-in data and preferences database. A new type of roaming, file server roaming is also available in this release. A new Roaming policy settings document for upgrading a user to or downgrading a user from, file server roaming is also available. User files configured for roaming now appear in a single Roaming Applications folder on the Notes replicator page. A new Notes preference panel, Roaming, is now available for file server roamingenabled users. The Domino Configuration Tuner (DCT) evaluates server settings according to a growing catalog of best practices. All servers in a single domain can be evaluated together. DCT provides best practice analysis as well as worst practice disclosure, and helps
reduce total cost of ownership by assisting you in identifying configuration problems. DCT looks at settings in the Domino Server documents, the NOTES.INI file, and advanced database properties. Support for Notes standard configuration installation and usage on the Apple Mac OS platform is introduced in this release. The Notes start-up sequence has been reordered as part of performance enhancement in this release. Notes users are now prompted to authenticate (log in using their Notes password) before the Notes workbench appears on-screen. The new NOTES.INI setting for this sequence is "ENABLE_EARLY_AUTHENTICATION" which has a default setting value of 1 enabling the new mode. Disabling the setting reverts to the old (pre-8.5) start-up mode. If the ENABLE_EARLY_AUTHENTICATION setting is disabled (0), the Roaming user functionality introduced in release 8.5 is not functional and performance enhancements gained in the reordered start-up sequence are not realized. Description of how to use a centrally managed Widgets catalog and widgets to deploy stand-alone and third party Eclipse features and plug-ins to an existing Notes install are now documented in this guide. This method is now strongly suggested for deploying new features, and automatically provisioning feature updates, to users and supersedes the previously suggested Eclipse update manager (EUM) method, which required users to manually install and manually search for updates. The Widgets and Live Text code has been moved from Notes (and the Notes install kit) to the IBM Lotus Expeditor layer. User documentation has been moved to Notes client help.
Statistics generated during administration request processing - The Administration Process records statistics to help you monitor portions of the administration process tasks. All administration process requests scheduled for processing originate from the Administration Requests database (ADMIN4.NSF). You can view the progress of an administration request as it is processed by the administration process. There are a number of different stages and collection areas for each NoteID.
You can now push administrative trust defaults to a new deploy.nsf in the install media kit using an Export option in the server's Domino Directory to provide additional trust capabilities during an install. Customized data directory specification is now available during Notes multi-user install and upgrade for supported Citrix and Windows platforms. An add-on installer toolkit is now available for creating custom install kits for deploying third-party features to an existing Notes install. A validation tool is now available for testing changes made to a customized Notes install kit before running the installation executable. The Symphony feature in the Notes installation panel is now available when installing on the Apple Mac OS X platform.
The Activities feature in the Notes installation panel has been renamed Connections. Silently installing Notes requires new options when installing Domino Designer, Domino Administrator, and/or Lotus Symphony features. The Start Configuring Widgets wizard dialog (click Getting Started with Widgets in the Notes toolbar or My Widgets sidebar panel) contains a new option -- Features and Plugins. This option launches a new wizard sequence designed to simplify the process of creating a Notes client plug-in deployment widget, a process currently documented in the "Deploying client plug-ins with widgets and the widget catalog" section of Domino Administrator help. The wizard guides you through the widget definition process, prompting for the updatesite in which that target plug-in resides. After selecting the plug-in you want, entering the name, image url, and description for the widget, and reviewing the manifest used for the widget, the wizard will created the widget and install the plug-in. You can then export or publish the widget to the catalog. The Notes Widgets preference panel (File > Preferences > Widgets) now has a browse button for the widgets catalog server and database fields, simplifying the task of specifying the target server on which the widgets catalog resides. You can now create a customized data directory when installing or upgrading Notes multi-user on a Windows or Citrix platform. The "Activities" option on the Notes install panel has been renamed "Connections." However, the feature name remains "Activities" in the installed Notes sidebar panel.
The "WebSphere Portal composite application support for Notes" tool, also known as "Notes SCI" has been retired and removed from the Notes install kits (apps\ca8_SCI.exe and xvf ca8_SCI.tar) and replaced with the Expeditor NCI tool. A new topic describing the process of updating a deployed Notes feature and plug-in has been added. The Linux platform Notes install kit contains a new ntsspreld.sh script that, when installed and enabled, reduces Notes client auto-start time after the first operating system startup. Notes 8.5 introduces support for file server roaming and IBM Lotus Domino server roaming for the standard configuration user. A new Roaming preference panel is available for Notes users configured for file server-based roaming. New help topics have been added to more fully describe how to remove certain features to reduce the Notes install kit size. Notes 8.5 introduces support for Widgets and Live Text on the Apple Mac OS platform; previously it was available on the supported Windows and Linux platforms only. Notes 8.5 supports installation and use on Mac OS. See release notes or tech notes for system requirements and operating system version support. Notes 8.5 supports installation and use on Citrix . See release notes or tech notes for system requirements and operating system version support. This capability was initially made available in release 8.0.1. Notes 8.5 installation on Linux is available as an RPM or DEB install kit. The ISMP install kit is no longer available. Description of how to use a centrally managed widgets catalog and widgets to install and deploy stand-alone and third party features and plug-ins to an existing install are now documented in this guide. This method is now suggested for deploying new features, and automatically provisioning feature updates, to users and supersedes the previously suggested Eclipse update manager (EUM) method. The Widgets and Live Text code has been moved from Notes (and the Notes install kit) to the IBM Lotus Expeditor layer. End user and power use documentation has been moved to Notes client help. The Notes basic configuration Allclient install kit is no longer available, however the Notes-only basic configuration install kit remains available. Customers looking to install or upgrade to the Domino Designer 8.5 or Domino Administrator 8.5 clients must use the Notes standard configuration Allclient install kit. This is applicable to the Windows client platform as there is no Notes basic configuration Allclient install kit for the Mac OS or Linux platforms.
By optimizing the copying of DAOS objects, the Lotus Notes client is now able to recognize that a user's mail server is enabled for DAOS, and to refrain from replicating unnecessary copies of attachments, improving connection speed for users of mail and other databases on the server. NewShow Stat DAOS commands provide information on this optimization. Note This new object copy optimization feature requires the compaction of local mail database files to the current ODS level.
New advanced database property Use Domino Attachment and Object Service -- The Domino Attachment and Object Service (DAOS) reduces the total cost of ownership of maintaining any participating Notes database by storing all file attachments in a separate repository on the server and retrieving them by reference. Multiple copies of the same attachment in any participating Notes database on the server are stored only once, eliminating disk space devoted to duplicate storage.
The following features can be enabled using new policy settings in the Mail Policy settings document on the Lotus iNotes Configuration tab.
Description By default, Lotus iNotes users can set a Mail preference so that their Inbox is updated (refreshed) automatically when new mail arrives. Use this setting to disable the user preference. If this setting is not enabled, the Lotus iNotes user preference does not display in Mail preferences. Enable so that the number of unread messages in a folder displays in the navigator
pane of the iNotes client. Autoupdate unread count Enable scroll hints Select the mail folders for which you want the unread count to update automatically. Select to display information about messages (depending on sort order) as users scroll through a mail list view. By default, when a user opens an attachment, a message displays warning that opening the attachment may be a security risk. Enable this option to suppress the warning message. Enabling prevents users from accessing or forwarding images by filtering them out of messages at the server level. Use this setting to specify a list of Lotus Quickr servers and assign user-friendly names for the servers. Then when a user browses to add a place in their Lotus Quickr user preferences, they can browse for places by selecting from the list you have defined in their effective policy. By default the sidebar displays in the mail client. Select Hide to prevent the sidebar from displaying. By default, a set of user preferences are available in the mail client. To prevent preferences from displaying, clear this field. Enable archiving on a per person basis. Using one or both of these policy settings overrides archiving settings in the server's Configuration Settings document.
Show preferences
o o
Mail disclaimer policy settings are now supported by Lotus iNotes. Support for Notes links -- Users can open Notes links (application, document, or view links) either in a new browser window or in Lotus Notes. Web-style search - A new notes.ini setting, INOTES_WA_DISABLE_WEBSTYLE_SEARCH=1, allows Lotus iNotes users to perform Web-style searches. Disable URL links in edit mode -- By default, users can identify or open hotspot links (URLs) while editing or responding to a message. You can prevent this for Microsoft Inernet Exporers and return to the behavior of previous releases. Use the setting iNotes_WA_EnableOpenLinkInEditor=0 to prevent IE users from accessing or identifying links in compose or edit mode. The default setting is 1 (enabled). Two Archive policy settings are now supported. Prohibit archiving and Prohibit private archiving criteria can be used to disable archiving for Lotus iNotes users, or to prohibit the creation of private archive criteria. Using security policy settings for configuring proxies-- Previously, proxies were configured by use of a proxyconfig.properties file located in the Domino\data\properties directory. This is no longer supported, and you must use a security policy settings document to configure proxies. ID Vault -- Lotus iNotes users can take advantage of the Notes ID Vault to back up their Notes ID. iNotes supports the use of policies to enable this feature. Once ID Vault is enabled, iNotes users will have an additional Security preference Synchronize Notes ID with Vault. If this feature is not enabled, the user preference does not display. Prefetch Documents -- You can set a notes.ini so that the client loads the contents of either the visible unread messages or of all visible messages in an asynchronous manner after the view list is loaded. The result is that messages will open from the view faster, because the contents are not being loaded when the message is opened, rather they have already been fetched and exist in the view. Note that enabling this feature may have some bandwidth or server CPU consumption trade-offs. To enable this feature, use notes.ini setting iNotes_WA_PrefetchDocuments=value, where:
1 = fetches all unread documents shown in the mail view 2 = fetches all documents shown in the mail view
Customizing color gradients -- You can now easily customize the color gradients used in Lotus iNotes by editing the dwa.properties file in forms85.nsf. All gradient fill and roundrect colors are now defined in dwa.properties. To change colors, edit this file in Lotus Domino Designer and provide new color specifications. Notes.ini setting to unblock Google Chrome browser -- The Google Chrome browser is blocked by default. To allow the use of Chrome, use iNotes_WA_ChromeBrowserBlock=0. If this setting is absent or set to any other value, the Chrome browser is blocked. Notes.ini setting to allow pass-thru of HTML -- As of Domino 8.5.1, pass-thru HTML that is enclosed within square brackets is disabled by default. To allow this pass-thru HTML style, use the setting iNotes_WA_AllowPassThruHtml =1. The default value is 0. New ultra-light client mode - The newest mode of Lotus iNotes is the ultra-light mode. It is designed for use on a mobile device and is initially supported on the Apple iPhone or iPod touch. It provides basic mail and contacts capabilities, along with a day-at-aglance calendar. Lotus iNotes widgets -- Administrators can define a set of widgets that can be integrated into the Lotus iNotes mail client and can specify the toolbox catalog and category names from which users can select and install their own widgets. Lotus Quickr integration -- Administrators can enable the use of Lotus Quickr links and attachments in messages, and the ability to set Lotus Quickr preferences in their Lotus iNotes users preferences. External Calendar overlays -- Administrator can allow users to add an external calendar to their Lotus iNotes calendar, overlaying the information so that all calendar display in the Lotus iNotes calendar. HTTP-proxy servlets -- For Lotus iNotes features that send requests to external servers or Web services, such as with Lotus Quickr integration or Widgets, administrators can use an HTTP-proxy servlet to intercept calls and retrieve information from a remote site. Mail Policy settings -- Lotus iNotes supports some of Mail Policy settings that can be applied either to IBM Lotus Notes users or to Lotus iNotes users. In addition, the Mail Policy Settings document includes a Lotus iNotes tab that has settings that apply only to Lotus iNotes users. Desktop Policy settings -- Lotus iNotes supports some of the Desktop Policy settings. New Web server tell command -- There is a new server console command that allows administrators to replace or update the Lotus iNotes forms.nsf file without having to restart the Domino server.
Auto-populated groups -- The auto-populated groups feature uses predefined criteria to automatically determine and update group membership. Use the auto-populated groups feature to apply policies to users and groups based on their home servers.
Router optimizations -- Router optimizations is a series of enhancements and changes to the Domino mail router designed and implemented to reduce latency, that is, to reduce the amount of time between when a message is sent and when it is delivered, to contribute to reduced I/O, and to address scalability issues caused by a large message backlog. Mailbox event notification is also a router optimization. In Domino, when the router is running in a steady state and a new message is deposited in MAIL.BOX, a copy of the message is made and placed on a mailbox event queue which is then used by a new MailEvent thread in the router. The router then uses this copy of the message without having to search MAIL.BOX to discover new messages nor perform a full note open for use in transfer or delivery. The message is cached and additional copies of this message are made as needed for multiple recipients. You can use NOTES.INI settings to limit the amount of memory used by open notes. The memory values are shared and maintained by mailbox event generation and any open router note. These enhancements do not cause changes to the UI, but they are noticeable as performance improvements, see new Show Stat Mail, and new router task detail.
Support for easily pushing Eclipse managed settings, notes.ini settings, and locations settings are now available using the Custom Settings tab on the Domino desktop policy settingspage in conjunction with the server's Domino Directory (names.nsf). This enables you to push both Lotus-supplied and custom settings during client install or upgrade, including deployment of Notes features and plug-ins using widget deployment methods. Ability to push trusted certificates to clients -- You can create cross-certificates in the Domino Directory for Internet certifiers and Lotus Notes certifiers and then push the cross-certificates to the Contacts application on Lotus Notes clients. The cross-certificates are used to establish client trust of a certifier when accessing servers, reading encrypted S/MIME mail, or installing signed Lotus Notes client plugins. When you push cross certificates, users are not required to create the crosscertificates or retrieve them from the Domino Directory. You can also push Internet certifiers to clients and enable users to create cross-certificates themselves. There are two ways to push certificates to clients' Contacts: through customization of the Lotus Notes client installation media or through security policy settings. Time stamping plug-in jar signatures -- You can now time-stamp plug-in jar signatures using the jarsigner tool provided by the Java SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plugin jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users are not confronted with security prompts during plug-in installation or provisioning. You can use security policy settingscontrol whether to also ignore expiration of the time stamping certificates themselves. By default, time stamping certificate expiration is ignored. A new setting has been added to the Mail policy settings document to allow for detection of e-mail applications other than Notes. The first use of the detection functionality is to prevent data loss when exchanging calendar invitations among users of Notes calendars and users of other calendars such as Microsoft Outlook/Exchange. Specify the Lotus Protector for Mail Security 2.5 server URL in a NOTES.INI setting in the desktop policy settings document. Specify customized mail quota warning text using a NOTES.INI file setting in the desktop policy settings document. Use the notes.ini setting quotawarningtext=<value> to specify the URL or text that will be displayed when a Notes user's mail file size exceeds the mail quota threshold or the maximum mail quota size. In the NOTES.INI setting, you specify a URL or actual text that will display. You can place instructions for reducing the size of the user's mail file in the location accessible by the URL. There are new policy settings for Lotus iNotes as well as general policy settings that Lotus iNotes now supports. For more information, see Lotus iNotes -- new features. New Dynamic Policies -- Dynamic policy assignment is a new option for assigning explicit policies that allows you to assign policy settings to individual users and groups just by specifying the appropriate user or group name in a policy document. You are able to "set it and forget it" as far as the policy goes. As the organization changes, you only need to update the Group document. If a user changes jobs or organizations, you do not need to determine which policies need updating. The updated group information is applied the next time the effective policy is calculated for any users in that group. A new Roaming policy settings document has been added in support of the file server roaming and IBM Lotus Domino server roaming functionality introduced in this release for the IBM Lotus Notes 8.5 and greater standard configuration user. Notes standard configuration user roaming, and this policy page, are introduced in this release. A new setting has been added to the "Enable provider IDs for widget addition" and "Restrict provider IDs for installation/execution" Widgets policy page settings to allow for widgets that deploy client plug-ins. The setting, "com.ibm.rcp.toolbox.prov.provider.ToolboxProvisioning" is also available for the equivalent Eclipse preference settings in the plugin_customization.ini file. The desktop policy settings document contains additional Window Management settings. On the Preferences - Window Management tab, the setting "Display sidebar" controls whether the sidebar displays on the Notes Client user's desktop. There are new "Hide" settings for several sidebar panels including Feeds, Day-At-A-Glance, Activities, Sametime Primary Contacts, and My Widgets. To review all of the new Window Management settings, see the topic Creating a desktop policy settings document.
Windows single sign-on for Web clients -- You can set up an IBM Lotus Domino Web server to honor Windows users' Active Directory logon credentials. Users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a Domino HTTP password. ID vault integration with programs that store ID files in databases -- You can enable Lotus Notes API programs that can store Lotus Notes IDs in databases to use an ID vault. Doing this allows the users of such programs, for example, Lotus iNotes users or Lotus Notes Traveler users, to take advantage of the ID management features that an ID vault provides. Ability to push trusted certificates to clients -- You can create cross-certificates in the Domino Directory for Internet certifiers and Lotus Notes certifiers and then push the cross-certificates to the Contacts application on Lotus Notes clients. The cross-certificates are used to establish client trust of a certifier when accessing servers, reading encrypted S/MIME mail, or installing signed Lotus Notes client plugins. When you push cross certificates, users are not required to create the crosscertificates or retrieve them from the Domino Directory. You can also push Internet certifiers to clients and enable users to create
cross-certificates themselves. There are two ways to push certificates to clients' Contacts: through customization of the Lotus Notes client installation media or through security policy settings.
Time stamping plug-in jar signatures -- You can now time-stamp plug-in jar signatures using the jarsigner tool provided by the Java SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plugin jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users are not confronted with security prompts during plug-in installation or provisioning. You can use security policy settingscontrol whether to also ignore expiration of the time stamping certificates themselves. By default, time stamping certificate expiration is ignored. Support for a stronger Internet password format in Person documents if all servers run Domino 8.0.1 or later. Workstation security options in the execution control list (ECL) can now control execution of Java code in XPages applications. Notes shared login -- Notes shared login allows users to start IBM Lotus Notes and use their Notes IDs without having to provide Notes passwords. Instead, they only need to log in to Microsoft Windows using their Windows passwords. Unlike the Notes Single Login feature in earlier releases, Notes shared login does not use the Windows password for the Notes ID file. Instead, it stores a secret used to unlock the Notes ID file in a secure way using a mechanism provided by Windows, so the secret will only be accessible by users who have logged into Windows. ID Vault -- The ID Vault is a Domino database that holds protected copies of Notes user IDs. The use of the ID vault allows administrators to more easily manage Notes user IDs. XPages security -- Control the execution of XPages on a server the same way in which you control execution of agents.
Ease of use for platform statistic event generators -- When you create a statistics event generator, you now have the option to monitor a template statistic. This option allows you to monitor a platform statistic for all instances of all tasks on a server, so that you do not have to create a separate statistics event generator for each task instance. You can select the template statistic to monitor from a drop-down list of platform statistics, including DominoLocalFreeKBytes, DominoSharedFreeKBytes, HeapFreeKBytes, MemFreeKBytes, SharedFreeKBytes. Console Log Mirroring -- Console log mirroring causes a new server thread to be created which monitors all messages written to the Console Log file and duplicates these messages into another file. When this new file is filled, the thread closes the mirrored file and creates a new file into which subsequent messages are written. Interoperability for non-Notes calendar users -- You can now configure compatibility mode and MIME simplification on the server to improve the experience for users of Microsoft Exchange, Microsoft Outlook, and other non-Notes calendars.
Show Stat DAOS - Commands provide statistics on improved network performance when messages or documents containing DAOS objects are replied to, forwarded, or replicated between clients and DAOS-enabled servers, or between databases on the same server, including clustered servers. Show IDvaults --This command displays configuration information about the ID vaults on a server and indicates if any documents required for proper vault operation are missing. Show Stat Mail -- You can view new messaging statistics in the server console window when you enter the command show stat mail. DAOS Manager Tell commands - These commands include status and re-synchronization commands for the Domino Attachment and Object Service (DAOS). A listnlo command helps identify missing attachment files, and a prune command helps clean up unused ones. Enhancement to Show Tasks -- The Show Tasks server command now includes task status from additional mail router threads and generates detail regarding router activity. Enhancements to Show Server and Show Directory - These commands now report whether the Domino Attachment and Object Service (DAOS) is enabled, and provide a list of which databases are included in DAOS with details for each.
The Domino Web server can serve files compressed by gzip (GNU zip). This feature is on by default. You must add the compressed file to the appropriate server directory, and certain restrictions apply.
Servers that provide IBM Lotus Notes or browser users with access to applications Hub servers that handle communication between servers that are geographically distant Web servers that provide browser users with access to Web applications Servers that manage messaging services Directory servers that provide users and servers with information about how to communicate with other users and servers Passthru servers that provide users and servers with access to a single server that provides access to other servers Domain Search servers that provide users with the ability to perform searches across all servers in a Domino domain Clustered servers that provide users with constant access to data and provide load-balancing and failover Partitioned servers that run multiple instances of the Domino server on a single computer Firewall servers that provide Notes users with access to internal Domino services and protect internal servers from outside users xSP servers that provide users with Internet access to a specific set of Domino applications
Your decisions help determine which types of Domino servers your require. When you install each server, you must select one of the following installation options:
Domino Utility Server -- Installs a Domino server that provides application services only, with support for Domino clusters. The Domino Utility Server is an installation type for Lotus Domino that removes client access license requirements. Note that it does NOT include support for messaging services. See full licensing text for details. Domino Messaging Server -- Installs a Domino server that provides messaging services. Note that it does NOT include support for application services or Domino clusters. Domino Enterprise Server -- Installs a Domino server that provides both messaging and application services, with support for Domino clusters.
Note All three types of installations support Domino partitioned servers. Only the Domino Enterprise Server supports a service provider (xSP) environment.
Looking at Acme's diagram, you can see where they located their servers in the tree. Acme decided to split the company geographically at the first level and create certifier IDs for the East and West organizational units. At the next level down, Acme made its division according to department.
Common name (CN) -- Corresponds to a user's name or a server's name. All names must include a common name component. Organizational unit (OU) -- Identifies the location of the user or server in the organization. Domino allows for a maximum of four organizational units in a hierarchical name. Organizational units are optional. Organization (O) -- Identifies the organization to which a user or server belongs. Every name must include an organization component. Country --Identifies the country in which the organization exists. The country is optional.
An example of a hierarchical name that uses all of the components is: Julia Herlihy/Sales/East/Acme/US
Typically a name is entered and displayed in this abbreviated format, but it is stored internally in canonical format, which contains the name and its associated components, as shown below: CN=Julia Herlihy/OU=Sales/OU=East/O=Acme/C=US. Note You can use hierarchical naming with wildcards as a way to isolate a group of servers that need to connect to a given Domino server in order to route mail.
Domino domains
A Domino domain is a group of IBM Lotus Domino servers that share the same Domino Directory. As the control and administration center for Domino servers in a domain, the Domino Directory contains, among other documents, a Server document for each server and a Person document for each Notes user.
Partitioned servers
Using IBM Lotus Domino server partitioning, you can run multiple instances of the Domino server on a single computer. By doing so, you reduce hardware expenses and minimize the number of computers to administer because, instead of purchasing multiple small computers to run Domino servers that might not take advantage of the resources available to them, you can purchase a single, more powerful computer and run multiple instances of the Domino server on that single machine. On a Domino partitioned server, all partitions share the same Domino program directory, and thus share one set of Domino executable files. However, each partition has its own Domino data directory and NOTES.INI file; thus each has its own copy of the Domino Directory and other administrative databases. If one partition shuts down, the others continue to run. If a partition encounters a fatal error, Domino's fault recovery feature restarts only that partition, not the entire computer. Partitioned servers can provide the scalability you need while also providing security. As your system grows, you can migrate users from a partition to a separate server. A partitioned server can also be a member of a cluster if you require high availability of databases. Security for a partitioned server is the same as for a single server.
When you set up a partitioned server, you must run the same version of Domino on each partition. However, if the server runs on UNIX , there is an alternative means to run multiple instances of Domino on the server: on UNIX, you can run different versions of Domino on a single computer, each version with its own program directory. You can even run multiple instances of each version by installing it as a Domino partitioned server. If the server runs on IBM i, you can use multi-versioning support to install and run multiple Domino servers at different release levels. For more information about setting up partitioned or multi-version servers on IBM i, see the Installing and Managing Domino 8 for System i documentation.
Organization certifier ID
The organization certifier appears at the top of the name tree and is usually the name of the company -- for example, Acme. During first server setup, the Server Setup program creates the organization certifier and stores the organization certifier ID file in the Domino data directory, giving it the name CERT.ID. During first server setup, this organization certifier ID automatically certifies the first Domino server ID and the administrator's user ID.
If your company is large and decentralized, you might want to use the Domino Administrator after server setup to create a second organization certifier ID to allow for further name differentiation -- for example, to differentiate between company subsidiaries.
Certifier security
By default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino data directory. When you use the Domino Administrator to create an additional organization certifier ID or organizational unit certifier ID, you specify where you want the ID stored. To ensure security, store certifiers in a secure location -- such as a disk locked in a secure area.
User ID recovery
To provide ID and password recovery for Notes users, you need to set up recovery information for each certifier ID. Before you can recover user ID files, you need access to the certifier ID file to specify the recovery information, and the user ID files themselves must be made recoverable. There are three ways to do this:
At user registration, create the ID file with a certifier ID that contains recovery information. Export recovery information from the certifier ID file and have the user accept it. (Only for servers using the server-based certification authority) Add recovery information to the certifier. Then, when existing users authenticate to their home server, their IDs are automatically updated.
For more information, see the chapter "Protecting and Managing Notes IDs."
Creates /Acme as the organization certifier ID during first server setup. Uses the /Acme certifier ID to create the /East/Acme and /West/Acme certifier IDs. Uses the /East/Acme certifier ID to register servers and users in the East coast offices and uses the /West/Acme certifier ID to register servers and users in the West coast offices. Uses the /East/Acme certifier ID to create the /Sales/East/Acme, /Marketing/East/Acme, and /Development/East/Acme certifier IDs. Uses the /West/Acme certifier ID to create the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acme certifier IDs. Uses the /Sales/East/Acme, /Sales/Marketing/Acme, and Development/East/Acme certifier IDs to register users and servers in the East coast division. Uses the /HR/West/Acme, /Accounting/West/Acme, and IS/West/Acme certifier IDs to register users and servers in the West coast division.
Internet services
The IBM Lotus Domino Server Setup program presents these selections for Internet services:
Web Browsers (HTTP Web services) Internet Mail Clients (SMTP, POP3, and IMAP mail services) Directory services (LDAP)
Administration Process Calendar Connector Schedule Manager DOLS (Domino Off-Line Services)
These are optional advanced Domino server services that you can enable:
DIIOP CORBA Services DECS (Domino Enterprise Connection Services) Billing HTTP Server IMAP Server ISpy LDAP Server POP3 Server Remote Debug Server SMTP Server Stats Statistic Collector Web Retriever Note It is best to use activity logging instead of the billing service.
Characters 31 maximum
Tips
This is usually the same as the organization name. Use a single word, made up of only alpha (A-Z) or numeric (09) characters. By default, the Server Setup program assigns names in the format port namenetwork -- for example, TCP/IP network. Edit Notes named network names to use an identifier such as the location of the IBM Lotus Notes named network and the network protocol -- for example, TCPIP-Boston. This name is typically the same as the Domino domain name. The organization name is the name of the certifier ID and is appended to all user and server names. There can be up to four levels of organizational units. Choose a name you want to keep. If you change a server name, you must recertify the server ID.
31 maximum
Organization
3-64 maximum*
Choose a name that meets your network's requirements for unique naming. On TCP/IP, use only the characters 0 through 9, A through Z, and - (dash). On NetBIOS, the first 15 characters must be unique. On SPX, the first 47 characters must be unique. Keep in mind that Domino performs replication and mail routing on servers named with numbers before it does those tasks on servers named with alphabetic characters. Use a first and last name. A middle name is allowed, but usually not needed. User names may contain the ' (apostrophe). Can have only one alternate name Use any of these characters: A Z, 0 - 9, & - . _ ' / (ampersand, dash, period, space, underscore, apostrophe, forward slash). The only characters that are expressly prohibited are @ and //.
User
79 maximum*
No minimum 62 maximum
Note You can create groups with hierarchical distinguished names (DN). However, you must surround the forward slash (/) in a component value of a DN by surrounding it with double quotes. For example, 24"/"7 Support. Note Do not create group names containing a / (slash) unless you are working in a hosted environment. Using the / in group names in a non-hosted environment causes confusion with hierarchical naming schemes. Hierarchical names are required in a hosted environment.
For mail routing, you can nest up to five levels of groups. For all other purposes, you can nest up to six levels of groups. Do not include spaces Optional
No maximum 0 or 2
* This name may include alpha characters (A - Z), numbers (0 - 9), and the ampersand (&), dash (-), period (.), space ( ) , and underscore (_).
6.
7.
Installing Domino on Microsoft Windows systems Installing Domino on UNIX systems Installing Domino on IBM i Using silent server installation to install Domino on Windows or UNIX systems Installing Domino on Linux on IBM System z systems
2. 3. 4. 5.
Make sure that the required hardware and software components are in place and working. Read the Lotus Domino Release Notes for operating system and network protocol requirements. Check the Release Notes for last-minute changes or additions that may impact the silent server install. Temporarily disable screen savers and turn off virus-detection software. Before running any Domino setup command, complete any pending reboot actions you may have from installing other applications. Make sure that all other applications are closed.
2.
Installation activity Running silent install with default selections and options Running silent install using response files
Example On Windows: setup.exe - silent On UNIX: ./install - silent On Windows: setup.exe -silent -options c:\temp\file.txt On UNIX: ./install -silent -options /local/response.dat
Parameter
-silent
Runs the basic silent server install using the default options.
On Windows, setup -silent -option C:\temp\file.txt On UNIX, ./install -silent -option /local/response.dat
Creates a Domino domain. Creates the certification log file, names it CERTLOG.NSF, and saves it in the Domino data directory. Uses the PUBNAMES.NTF template to create the Domino Directory for the domain, names the directory NAMES.NSF, and places it in the Domino data directory. Creates an organization certifier ID, names it CERT.ID, and saves it in the Domino data directory. Optionally creates an organizational unit certifier ID, names it OUCERT.ID, and stores it in the Domino Directory. Creates a Certifier document, which describes the organization certifier ID, in the Domino Directory.
Creates a server ID, names it SERVER.ID, and saves it in the Domino data directory. Uses the organization certifier ID to certify the server ID. Creates a Server document in the Domino Directory and includes in it information that you specified during the setup program. Creates a Person document in the Domino Directory for the Domino Administrator that you specified during the setup program. Creates a user ID and password for the Domino Administrator and attaches it as a file named USER.ID to the administrator's Person document in the Domino Directory. Uses the organization certifier ID to certify the administrator's user ID. Gives the administrator and the server Manager access in the ACL of the Domino Directory. Adds the server name to the LocalDomainServers group in the Domino Directory. Creates the log file, names it LOG.NSF, and saves it in the Domino data directory. Enables the appropriate network and serial ports. Creates a mail directory in the Domino data directory and creates a mail file in that directory for the Domino Administrator. Creates the Reports file, names it REPORTS.NSF, and saves it in the Domino data directory. Updates network settings in the Server document of the Domino Directory. Configures SMTP, if selected during the setup program. If "DOLS Domino Off Line Services" was selected during the setup program, creates the Off-Line Services file, names it DOLADMIN.NSF, and saves it in the Domino data directory,. Updates the Access Control List in all databases and templates in the Domino data directory tree to remove Anonymous access and/or add LocalDomainAdmin access, depending on the selections made during the setup program. Configures xSP Service Provider information, if selected during the install program.
Copies the Domino Directory, if a file location was specified during the setup program, names it NAMES.NSF, and saves it in the Domino data directory. Copies the server's ID from the location specified during the setup program, either from a file, a copy of the directory, or the existing Domino server's directory; names it SERVER.ID; and saves it in the Domino data directory. Retrieves the Domain name and Administrator name from the Server document in the Domino Directory. Creates the log file, names it LOG.NSF, and saves it in the Domino data directory. Copies or replicates the Administration Requests file, names it ADMIN4.NSF, and saves it in the Domino data directory. Copies or replicates the Monitoring Configuration file, names it EVENTS4.NSF, and saves it in the Domino data directory. Replicates the Domino Directory, if it doesn't already exist, names it NAMES.NSF, and saves it in the Domino data directory. Creates a Connection document to the existing Domino server in the Domino Directory. Creates the Reports file, names it REPORTS.NSF, and saves it in the Domino data directory. Updates network settings in the Server document of the Domino Directory. Configures SMTP, if selected during the setup program. If "DOLS Domino Off-Line Services" was selected during the setup program, creates the Off-Line Services file, names it DOLADMIN.NSF, and saves it in the Domino data directory. Updates the Access Control List in all databases and templates in the Domino data directory tree to remove Anonymous access and/or add LocalDomainAdmin access, depending on the selections made during the setup program. Configures xSP Service Provider information, if selected during the install program. Replicates changes made to the Server document with the existing server, if any. Removes the SERVER.ID attachment from the Domino Directory, if applicable.
compact -c <database name> Note In-place compacting has been changed. When a database with an earlier level of ODS is detected, Domino does not automatically convert to copy-style compact to upgrade your databases. The current level of ODS provides potential improvement for I/O, folder optimization, compression, and attachment consolidation.
Mail (R8.5) template (MAIL85.NTF) Discussion - Note & Web template (DISCUSSION8.NTF)
Note DOLS runs on Domino servers configured to work through a Microsoft IIS server.
The Domino server is either a Domino Utility Server or Domino Enterprise Server. All servers in the cluster run the same release of Domino with DOLS Clustered server management is running to handle both failover of replication and HTTP Internet Cluster Manager is running Subscription directories must have the same name on every clustered server. For example, if a subscription is under \data\Webmail user\7CD5957CB669AE2285256BDF00567AD8\, this name cannot be different on a different server in the cluster.
Configuration Notes
When you install Domino 8.x, the stlinks files that are installed in the stlinks directory (for example, C:\st\domino\Data\domino\html\sametime\stlinks), are overwritten. If you have modified stlinks files (for example, if the Sametime server is configured for tunneling), you should make a backup copy of them, and then replace the stlinks files that are installed during the upgrade. To access the Sametime server using a protocol that is different from the current Web page's protocol, use the NOTES.INI configuration setting iNotes_WA_SametimeProtocol. Sametime integration with Lotus iNotes is not supported with JRE 1.4.1.
Use these installation instructions to install and set up Sametime for Lotus iNotes.
Enter the Sametime server's name in the "Destination server" field. For example: Sametime/Acme. Enter the Lotus iNotes server's name in the "Source domain" field. Enter the Sametime server's name in the "Destination domain" field.
Enter the Lotus iNotes server's name in the "Destination server" field. Enter the Sametime server's name in the "Source domain" field. Enter the Lotus iNotes server's name in the "Destination domain" field.
If you choose not to enable instant messaging for all users, then you must edit the person document for each user who will use instant messaging: 1. 2. 3. 4. 5. 6. 7. From the Domino Administrator, click the People & Groups tab. Select the Lotus iNotes Domino directory, then click People. Double-click a name to open the user's Person document. Click Edit. Enter the name of the Sametime server in the "Sametime server" field. For example, Sametime/Sales/Acme/UK. Click "Save & Close." Repeat Steps 3 though 6 for each person.
Edit the Sametime configuration file 1. 2. 3. 4. Open the Sametime Configuration application (stconfig.nsf) on the Sametime server. From the "By Form" view, open the ComunityConnectivity document. Add the IP address of the Domino Web Access server to Community Trusted IPs field. Save and close the document, and then restart the Sametime server.
Edit the servlet configuration file 1. 2. Create a text file in the data directory on the Lotus iNotes server called servlets.properties that includes the following line: servlet.DWABuddyList.code=com.lotus.dwa.stbuddy.DWABuddyList (Optional) If you are using reverse proxy servers in your environment, you may need to add the following line with the fullyqualified domain name or IP address of the Sametime server in the servlet.properties file: servlet.DWABuddyList.initArgs=stserver=sametime.company.com
Enable the Lotus iNotes Contact List client for Mozilla Firefox 1. 2. Add the NOTES.INI setting iNotes_WA_DisableFirefoxAwareness=0 to the NOTES.INI file on the Lotus iNotes server. Add the signed version of the stlinks.jar file into the stlinks directory wherever you have an stlinks directory (on the Sametime server and on the Lotus iNotes server).
Part 6 - (for mixed environments only) Install Sametime 7.0 Connect for browsers
For users whose mail file is based on the DWA7.NTF template on a Domino 8.0 server, you can disable Lotus iNotes Contact List and use the Sametime 7.0 Connect for browsers. Sametime 7.0 Connect for browsers is not installed by default when you install the Sametime 7.5.x server. See the Release Notes for information about version-specific support. Disable the Lotus iNotes contact list 1. 2. 3. 4. 5. From the Domino Administrator, click the Configuration tab. Click the Configuration Settings document for the Lotus iNotes server, and then click Edit Configuration. Click the Lotus iNotes tab. In the Instant Messaging section, for the field Prefer DWA 8 Contact List, select Disabled. Save and close the document, and then restart the server.
Deploy Sametime 7.0 Connect for browsers on a Sametime 7.5 server Extract the file javaconnect.zip to the <server>\data\domino\html\sametime\javaconnect directory on the Sametime 7.5 server.
Enable the Sametime 7.0 Connect for browsers link for Sametime 7.5 1. 2. 3. 4. Open the Sametime Configuration application (stconfig.nsf) on the Sametime server. From the "By Form" view, open the ComunityClient document. Set the Launch Connect link field to True. Save and close the document, and then restart the Sametime server.
Part 7 - Set up Domino Web SSO authentication between the Lotus iNotes server and IM server
Domino single sign-on (SSO) authentication allows Web users to log in once to a Domino or IBM WebSphere server, and then access any other Domino or WebSphere server in the same DNS domain that is enabled for single sign-on (SSO) without having to log in again. In a multiple server environment, it is possible that one or more servers in your Domino domain are already configured for Domino SSO, and the Domino Directory already contains a Domino Web SSO configuration document. When you install Sametime, it creates a Web SSO configuration document called LtpaToken unless one already exists in the Domino directory. If an LtpaToken configuration document already exists, Sametime does not attempt to alter it. Note You cannot use an Internet Site document on the Sametime server to set up SSO between the Sametime server and the iNotes server. Use the procedure provided here instead. To confirm that the Domino server on which you have installed Sametime is set up properly for Sametime, see the Sametime Help topic "Verifying the Domino Server document settings" in the IBM Lotus Sametime 8.0.x Information Center. For information about the use of site documents to set up SSO, see technote number 21157740 - Can Sametime work with Internet Sites enabled? http://www-01.ibm.com/support/docview.wss?rs=203&uid=swg21157740 For more information about Domino Web SSO authentication, see the Domino Administrator Help topic "Multi-server session-based authentication (single sign-on)." Configure the Lotus iNotes server for Web SSO Complete the steps in this section if your Lotus iNotes server is not configured for Web SSO, and you want to use the Web SSO document that Sametime created to configure it. 1. 2. Ensure that the Domino Directory has replicated throughout the Domino domain since you installed Sametime. Update the Web SSO Configuration document that was created when you installed Sametime (LtpaToken): 1. Open the Domino Directory and select the Configurations - Web - Web Configurations view. 2. From within this view, expand the list of Web SSO Configurations. 3. Open the "Web SSO Configuration for LtpaToken" document in edit mode. (If you are unable to edit the document, record the settings in the document, and then delete it and create a new one.) 4. Update these fields if necessary: Domino Server Names -- make sure this field contains the name of all of the Lotus iNotes servers and Sametime servers that should participate in Single Sign-on. DNS Domain -- make sure this is the fully-qualified domain name of the Lotus iNotes and Sametime server. 5. Click Save & Close. Enable single sign-on and basic authentication in the Server document for the Lotus iNotes server. When you update the Web SSO Configuration field, select LtpaToken from the list. Ensure that the updates replicate to all of the servers in the domain.
3. 4.
Update Lotus iNotes server Web SSO configuration Complete the steps in this section if your Lotus iNotes server is already configured for Domino Web SSO. You must add the Sametime server to your configuration: 1. Update your existing Domino Web SSO Configuration document. 1. Open the Domino Directory and select the Configurations - Web - Web Configurations view. 2. From within this view, expand the list of Web SSO Configurations. 3. Open the Domino Web SSO document that you are using for your Domino Web Access server in edit mode. 4. Update these fields if necessary: Domino Server Names -- make sure this field contains the name of all of the Domino Web Access servers and Sametime servers that should participate in Single Sign-on. DNS Domain -- make sure this is the fully-qualified domain name of the Sametime server.
2.
3.
5. Click save & Close. Update the Server document for the Sametime server. 1. Open the server document. 2. Click Internet Protocols - Domino Web Engine, and select the Web SSO Configuration field. 3. From the drop-down list, select the Web SSO Configuration that you are using for the Domino Web Access server. 4. Click Save & Close. Ensure that the updates replicate to all of the servers in the domain.
Although Domino SSO is the preferred authentication method, you can continue to use secrets and tokens authentication databases, if you are already using them. For example, if any of the servers in your domain is configured for something other than multiple server SSO, (single server SSO for example) you must use secrets and tokens authentication. For information on setting up Secrets and Tokens authentication, see the topic Setting up Secrets and Tokens authentication for instant messaging in Lotus iNotes.
Note If the instant messaging status does not appear next to the Welcome username text in Lotus iNotes, check the user's Person document in the Domino directory. If you configured the Sametime server by populating this document, make sure the "Sametime server" field is correct (Basics tab, under Real-Time Collaboration).
Setting up Secrets and Tokens authentication for instant messaging in Lotus iNotes
If you want to use Secrets and Tokens authentication databases for your instant messaging security instead of IBM Lotus Domino Single Sign-On (SSO) Authentication, you must Create a one-time replica of the Tokens database on the IBM Lotus iNotes server. When you do this, remember that file names are case sensitive on UNIX , so the Secrets database name must be entered exactly as STAuthS.nsf. To replicate STAuthS.nsf from the IBM Sametime server to the Domino server directory: 1. 2. 3. 4. 5. 6. 7. 8. Using an IBM Lotus Notes client, choose File - Application - Open. Enter the name of the Sametime server (for example, Sametime/Acme). Enter the Secrets database filename: STAuthS.nsf Click Open. Choose File - Replication - New Replica. Enter the name of the Lotus iNotes server (for example, iNotes/Acme) Ensure that the database is replicated to the data directory: ...\domino\data\stauths.nsf. Click OK to create the replica.
Note After you have replicated stauths.nsf from your Sametime server to your Domino server, open the Replication Settings dialog box for the database, click Other, and check the "Temporarily disable replication for this replica" box. This will prevent another version of the database from a Microsoft Windows system from overwriting your name change (using uppercase and lowercase letters) for the UNIX server.
2.
Copy the following two lines from the Hostinfo.js file to the beginning of the stlinks.js file (by default, there are only 2 lines in the Hostinfo.js file): var HTTP_TUNNELING_PORT=xx; var TUNNELING_ADDRESS=""; The values you see for these variables in the hostinfo.js file should match your Sametime server tunneling configuration. For releases after 2.5, Sametime normally creates and automatically updates the content of these files on the Sametime server.
3.
Save the updated stlinks.js file on the Sametime server. Note When you upgrade your Sametime server to a later release, the stlinks.js file is replaced with the default version and you must perform steps 1-3 again to update the file. It is also possible that installing a Sametime fix pack may make it necessary to restore the updates.
4.
Copy the updated stlinks.js file from the Sametime server to the Lotus iNotes server, replacing the existing stlinks.js file in <Domino_data_directory>\domino\html\sametime\stlinks. Note If the Lotus iNotes server is running on IBM i, make sure that the owner of the stlinks.js file is set to QNOTES.
When you upgrade Domino to a new release, the customized STLinks files may be replaced, and Lotus iNotes-Sametime integration may stop working. This can occur when you upgrade Domino on either the Lotus iNotes server or the Sametime server. In recent Domino releases, the original contents of the STlinks directory are backed up to the following directory before the files are replaced: Microsoft Windows : <Domino_data_directory>\domino\html\sametime\stlinks.save IBM AIX and Solaris: <Domino_data_directory>/domino/html/sametime/stlinks.save IBM i: <Domino_data_directory>/domino/html/sametime/stlinks/stlinks.sav After you upgrade Domino on either the Lotus iNotes server or the Sametime server, restore any stlinks.js customizations from the file in the backup directory to the file in the stlinks directory.
When you update the level of Lotus Sametime by installing a newer release of Sametime or applying a fix pack, it is possible that you will also need to copy the newer version of the stlinks directory to your Lotus iNotes server. Make sure you check the documentation that accompanies the Sametime update to determine if this is necessary. If this occurs, you will need to reapply your stlinks.js customizations on each of the servers.
3.
3. 4.
Note If the Sametime server is configured using a port other than the default port, then the "Fully Qualified Hostname" field must contain hostname:port. For complete information on working with multiple Sametime servers, see the IBM Lotus Sametime 8.0.x Information Center.
The IBM Lotus Sametime server is up running. To make sure stlinks is running normally, you can check the Sametime server directory \trace\stlinks.txt log file. All the ST**** services are up running. Check the control panel - services; all ST**** services should be running when the Sametime server has fully started. If there are ST**** services not running, start STCommunity server first. If this service cannot be started, check the network connections and the Sametime server log file. Make sure the \stlinks directory and the files are on both the Sametime server and application server directories.
When you update the level of Sametime by installing a newer release of Sametime or applying a fix pack, it is possible that you will also need to update the stlinks files on your Lotus iNotes server. Make sure you check the documentation that accompanies the Sametime update. If you had previously customized the STLinks files and have recently upgraded either your Sametime server or your Lotus iNotes server to a new version of Domino, the customized files may have been replaced. See the topic Customizing STLinks files for tunneling or Reverse Proxy servers. Make sure the user has enabled Instant Messaging in Preferences. Make sure the user's Person document has been set up with the Sametime server names. Use the http:// protocol only for the Sametime server.
2. 3.
Browser Address
The instant messaging integration features rely on the ability of the browser to directly communicate with the Sametime server. This means that the fully-qualified Internet hostname of the Sametime server must be resolvable from the browser (for example, the fully qualified Internet hostname for a Domino server named IM/Acme might be im.acme.com). Therefore, either DNS must be able to resolve this address or it must be resolved to the proper IP address by some other mechanism (such as editing of the local operating system's hosts file).
Use the server setup program on the server you are setting up. Use the server setup program from a client system or from another server. Create a setup profile by recording your choices during the server setup program. Use a setup profile to set up multiple servers with the same requirements. Use a setup profile without viewing the setup screens ("silent" setup). Using automatic server setup on Linux on System z and on UNIX.
4.
To select an alphabet different from that of the default language, see the following procedure.
Note Clicking Next to go to the next screen restores the alphabet to that of the default language. Repeat the preceding procedure for each screen on which you want to use a different alphabet.
2 -- To automatically launch server setup in listen mode after installing a new server. You can then connect to the server using the Remote server setup tool. To automatically restart the server after installing a server upgrade.
Note When the Install program starts on a Linux on System z system, the program asks for the password of the ID that owns the Notes data directory.
1.
Locate the option "Select server setup method." Note The default is Manual server setup. When the manual setting (0) is active, you must manually initiate the server setup or server restart.
2.
Press the Spacebar until you see the setting you want to use. You can use one of the following settings: o Local server setup -- To automatically launch server setup after installation or to automatically restart the server after a server upgrade. Note For Linux on System z and z/OS, set the DISPLAY environment variable so that the setup program is directed to a workstation supporting X-Window. When the Install program starts, it asks for the password of the ID that owns the IBM Lotus Notes data directory.
Remote server setup -- To automatically launch server setup in listen mode after installing a new server. You can then connect to the server using the Remote server setup tool. To automatically restart the server after a server upgrade.
Note When the Install program starts on a Linux on System z system, the program asks for the password of the ID that owns the Notes data directory. Manual server setup -- To disable automatic server setup and enable manual setup. You have to manually start the server after a new server installation or restart the server after an upgrade when you use this setting. Press Tab to accept the setting.
3.
To run the server setup program from a Windows client with Domino Administrator
Note Before running any Domino setup command, be sure to complete any pending reboot actions you may have from installing other applications. 1. Make sure that you: o Selected "Remote server setup" when you installed Domino Administrator on the client system (on the Windows desktop, choose Start - Programs - Lotus Applications and see if Remote server setup appears in the list) o Know the host name or network address of the remote system
2. 3.
4. 5. 6. 7.
Install the Domino server program files on a server system, but do not run the Domino server setup program. At the command prompt on the server system, from the Domino program directory, do one of the following: o On a Microsoft Windows server, enter nserver -listen o On a UNIX server, enter server -listen On the client system, choose Start - Programs - Lotus Applications - Remote server setup. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the remote server. Enter the host name or network address of the remote server. Click OK to start the Domino server setup program.
To run the server setup program from a Windows client without Domino Administrator, or from a UNIX workstation
Note Before running any Domino setup command, be sure to complete any pending reboot actions you may have from installing other applications. 1. 2. 3. Make sure that you know the host name or network address of the remote system. Install the Domino server program files on a server system, but do not run the Domino server setup program. At the command prompt on the server, from the Domino program directory, do one of the following: o On a UNIX server, enter /lotus/bin/server -listen o On a Windows server, enter nserver -listen On the client system, install the Java runtime environment. Create a temporary directory on the client system. For example, enter the following at the command prompt: o On a Windows client: mkdir c:\temp o On a UNIX workstation: mkdir /temp Do one of the following: o From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD from the server to the directory you created on the client system. These files are in C:\Domino program directory on the server. o From a UNIX workstation, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from the server to the directory you created on the workstation. These files are in /Domino program directory/lotus/notes/latest/ibmpow/ on an IBM AIX server, /Domino program directory/lotus/notes/latest/zlinux/ on a Linux on System z server, /Domino program directory/lotus/notes/latest/linux/ on a Linux server, and /Domino program directory/lotus/notes/latest/sunspa/ on a Solaris server. Note Linux on System z and z/OS ship tar files on the cd which contain all the files needed for remote server setup. On Linux on System z -- ZLINUX_CLIENT.TAR On z/OS -- ZOS_CLIENT.TAR 7. At the command prompt on the client system, from the directory you created, do one of the following: o On a Windows client, enter remotesetup.cmd o On a UNIX workstation, enter remotesetup 8. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the remote server. 9. Enter the host name or network address of the remote server. 10. Click OK to start the Domino server setup program.
4. 5.
6.
o o
4.
Tip Entering nserver -help or server -help displays all parameters available for working with remote server setups. 5. 6. 7. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the remote server. Enter the host name or network address of the remote server. Click OK to start the Domino server setup program.
To create a setup profile from a Windows client without Domino Administrator or from a UNIX workstation
1. 2. 3. Install the Domino server program files on the server system, but do not run the Domino server setup program. On the client system, install the Java runtime environment. Create a temporary directory on the client system. For example, enter the following at the command prompt: o On a Microsoft Windows client: mkdir c:\temp o On a UNIX workstation: mkdir /temp Do one of the following: o From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD from the server to the directory you created on the client system. These files are in C:\Domino program directory on the server. o From a UNIX workstation, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from the server to the directory you created on the workstation. These files are located as below: /<Domino program directory>/lotus/notes/latest/ibmpow/ on an IBM AIX server /<Domino program directory>/lotus/notes/latest/zlinux/ on a Linux on System z server
4.
/<Domino program directory>/lotus/notes/latest/linux/ on a Linux server /<Domino program directory>/lotus/notes/latest/sunspa/ on a Solaris server Note Linux on System z and z/OS ship tar files on the CD that contains the files needed for remote server setup. On Linux on System z -- ZLINUX_CLIENT.TAR On z/OS -- ZOS_CLIENT.TAR At the command prompt on the client system, from the directory you created, enter: remotesetup -record Note For Linux on System z and z/OS, Set the DISPLAY environment variable so that the setup program is directed to a workstation supporting X-Window. 6. 7. Enter a name and description for the profile. Continue through the setup program. Domino saves your selections in a file with the name you specified in Step 6 and stores the file in the client-system directory that you created in Step 3.
o o
5.
To use a setup profile from a Windows client without Domino Administrator or from a UNIX workstation
1. 2. Install the Domino server program files on a server system, but do not run the Domino server setup program. At the command prompt on the server system, from the Domino program directory, do one of the following: o On a Windows server, enter nserver -listen o On a UNIX server, enter server -listen On the client system, install the Java runtime environment. Create a temporary directory on the client system. For example, enter the following at the command prompt: o On a Windows client: mkdir c:\temp o On a UNIX workstation: mkdir /temp Do one of the following: o From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD from the server to the directory you created on the client system. These files are in C:\<Domino program directory> on the server. o From a UNIX workstation, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from the server to the directory you created on the workstation. These files located as below: o /<Domino program directory>/lotus/notes/latest/ibmpow/ on an IBM AIX server o /<Domino program directory>/lotus/notes/latest/zlinux/ for Linux on an IBM System z server o /<Domino program directory>/lotus/notes/latest/linux/ on a Linux server o /<Domino program directory>/lotus/notes/latest/sunspa/ on a Sun Microsystems Solaris server Note Linux on System z and z/OS ship tar files on the CD that contain the files needed for remote server setup. On Linux on System z -- ZLINUX_CLIENT.TAR On z/OS -- ZOS_CLIENT.TAR At the command prompt on the client system, from the directory you created, enter: remotesetup -playback Note For Linux on System z and z/OS, set the DISPLAY environment variable so that the setup program is directed to a workstation supporting X-Window. 7. 8. 9. 10. In the Connect to Remote Domino Server dialog box, click Ping to ensure that you can connect to the server. Enter the host name or network address of the server. Click OK. Choose the profile to use. If you don't see the profile you want in the list, click Browse to locate the directory that contains the profile. To change the existing profile, click Modify selected profile. 11. Click OK to start the server setup.
3. 4.
5.
o o
6.
where myprofile is the name you gave to the profile file. Note If the profile file is not in the root directory, use the profile's full path in the command. Tip Entering nserver -help or server -help displays the parameters available for working with server setup profiles. 3. If the profile uses existing server, certifier, or administrator IDs that require passwords, do the following: 1. Create a text file that contains the passwords for the existing IDs. The keywords in this are: Server= AddServer= Certifier= OUCertifier= Administrator= 2. 4. Add a parameter in the command line for the name of the password file. For example, on Windows enter: nserver -silent c:\myprofile.pds c:\passwd.txt If this is a partitioned server setup, add the = parameter to the command line to specify the NOTES.INI file in this partition's Domino data directory. For example, on Windows enter: nserver -silent c:\myprofile.pds =c:\lotus\domino\data2\notes.ini Check the ERRORLOG.TXT file in the Domino data directory to confirm that the setup is complete, or to view any error messages that were generated during setup.
5.
4.
7.
To do a silent setup from a Windows client without Domino Administrator or from a UNIX workstation
1. 2. Install the IBM Lotus Domino server program files on a server system, but do not run the Domino server setup program. At the command prompt on the server system, from the Domino program directory, do one of the following: o On a Windows server, enter nserver -listen o On a UNIX server, enter server -listen Note For Linux on System z and z/OS, set the DISPLAY environment variable so that the setup program is directed to a workstation supporting X-Window. 3. 4. On the client system, install the Java runtime environment. Create a temporary directory on the client system. For example, enter the following at the command prompt: o On a Windows client: mkdir c:\temp o On a UNIX workstation: mkdir /temp Do one of the following: o From a Windows client, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP.CMD from the server to the directory you created on the client system. These files are in C:\Domino program directory on the server. o From a UNIX workstation, copy the remote setup files CFGDOMSERVER.JAR, JHALL.JAR, and REMOTESETUP from the server to the directory you created on the workstation. These files located as below: /<Domino program directory>/lotus/notes/latest/ibmpow/ on an IBM AIX server /<Domino program directory>/lotus/notes/latest/zlinux/ for Linux on an IBM System z server /<Domino program directory>/lotus/notes/latest/linux/ on a Linux server /<Domino program directory>/lotus/notes/latest/sunspa/ on a Sun Microsystems Solaris server Note Linux on System z and z/OS ship tar files on the CD that contains the files needed for remote server setup. On Linux on System z -- ZLINUX_CLIENT.TAR On z/OS -- ZOS_CLIENT.TAR At the command prompt on the client system, from the IBM Lotus Notes program directory, enter: remotesetup -silent c:\myprofile.pds -remote serveraddress Note For Linux on System z and z/OS, set the DISPLAY environment variable so that the setup program is directed to a workstation supporting X-Window. Where myprofile is the name you gave the setup profile and serveraddress is the host name or network address of the server you are setting up. Note If the profile file is not in the root directory, use the profile's full path in the command. 7. If the profile uses existing server, certifier, or administrator IDs that require passwords, do the following: 1. Create a text file that contains the passwords for the existing IDs. The keywords in this are: Server= AddServer= Certifier= OUCertifier= Administrator= 2. Add a parameter in the command line for the name of the password file. For example, on Windows enter:
5.
o o
6.
remotesetup -silent c:\myprofile.pds c:\passwd.txt -remote serveraddress 8. If this is a partitioned server setup, add the = parameter to the command line to specify the NOTES.INI file in this partition's Domino data directory. For example, on Windows enter: remotesetup -silent c:\myprofile.pds -remote serveraddress =c:\lotus\domino\data2\notes.ini Check the ERRORLOG.TXT file to confirm that the setup is complete, or to view any error messages that were generated during setup.
9.
Certification log
When you set up the first IBM Lotus Domino server in a domain, the server setup program creates the Certification Log. If you delete the log, you can recreate it, but be aware that the new log will not contain the information it previously stored. The Certification log records information related to recertification and name changes. When you add servers and users to Domino, the Certification Log maintains a record of how you registered them. For each registered server and user, the Certification Log stores a document containing the following information:
Name and license type Date of certification and expiration Name, license type, and ID number of the certifier ID used to create or recertify the ID
Create a replica of the Certification Log on every server that is a registration server and on every server that stores a Domino Directory that is used for user management -- for example, renaming and recertifying users. If the server whose Domino Directory replica you are using does not have a Certification Log, user-management actions will fail.
Creates a server ID for the new server and certifies it with the certifier ID Creates a Server document for the new server in the Domino Directory Encrypts and attaches the server ID to the Server document and saves the ID on a disk or in a file on the server Adds the server name to the LocalDomainServers group in the Domino Directory Creates an entry for the new server in the Certification Log (CERTLOG.NSF)
If you have a Domino server-based CA for issuing Internet certificates, you can choose to configure the new server to support SSL connections by providing a server key ring password and the server's host name. Then, Domino does the following:
The registration process creates a certificate request in the Administration Requests database (ADMIN4.NSF) to be processed by the server's Internet CA The registration process creates a "create SSL key ring" request in ADMIN4.NSF Once you set up and start the new server and the "create SSL keying" request has replicated to it, the "create SSL key ring" request creates the server key ring file and an "enable SSL ports" request for the administration server of the Domino Directory The "enable SSL ports" request enables all the SSL ports on the new server and creates a "monitor SSL status" request for the new server The "monitor SSL status" request restarts all of the Internet tasks currently running on the new server so that the tasks will accept SSL connections
Note You must use the Domino Administrator if you want to use this server registration process to configure a new server for SSL.
Registering a server
Use this procedure to register a server. Note If you have not specified a registration server in Administration Preferences, this server is by default:
The server specified in the NewUserServer setting in the NOTES.INI file The Administration server
Perform the following steps: 1. 2. 3. 4. 5. If you are supplying the certifier ID, make sure that you have access to it and that you know its password. If you are using the IBM Lotus Domino Administrator and would like the new server to support SSL, make sure that you have an Internet CA configured. From the Domino Administrator or Web Administrator, click the Configuration tab. From the Tools pane, click Registration - Server. If you are using the Domino Administrator, do the following: 1. If you are using the CA process, click Server and select a server that includes the Domino Directory that contains the Certificate Authority records, and the copy of the Administration Requests database (ADMIN4.NSF) that will be updated with the request for the new certificate. Then click "Use the CA Process," select a CA-configured certifier from the list, and click OK. 2. If you are supplying the certifier ID, select the registration server. Then click "Certifier ID" and locate the certifier ID file. Click OK, enter the password for the certifier ID, and click OK. 3. In the Register Servers dialog box, click Continue if you want to apply the current settings to all servers registered in this registration session; otherwise, complete these fields:
Action Click Registration to specify the registration server. If the certifier ID displayed is NOT the one you want to use for all servers registered in this session, or if you want to use the Domino server-based CA instead of a certifier ID, click Certifier and you return to Step 4. The public key specification that you use impacts when key rollover is triggered. Key rollover is the process used to update the set of Notes public and private keys that is stored in user and server ID files. Choose one:
Compatible with all releases (630 bits) Compatible with Release 6 and later (1024 bits) Compatible with Release 7 and later (2048 bits)
For information about the significance of the public key specification and key rollover, see the topic User and server key rollover.
License type
Choose either North American (default) or International. In practice, there is no difference between a North American and an International ID type. (Optional) To change the expiration date of the Server Certificate, enter the date in mm-dd-yyyy format in the Certificate Expiration Date box. The default date is 100 years from the current date, minus allowances for leap years. If you want the server to support SSL, select an Internet CA from the list.
Expiration date
Certificate Authority
6.
7.
4. Click Continue. If you are using the Web Administrator, do the following: 1. Select a registration server that includes the Domino Directory that contains the Certificate Authority records, and the copy of the Administration Requests database (ADMIN4.NSF) that will be updated with the request for the new certificate. 2. Select a CA-configured certifier from the list, and click OK. In the Register New Server(s) dialog box, complete these fields for each server that you want to register:
Action Enter the name of the new server. Enter the server title, which appears on the Configuration tab in the All Server Documents view and in the Server Title field of the Server document. The default domain name is usually the same as the name of the organization certifier ID. Enter the name of the person who administers the server.
Required if you are going to store the server ID in the Domino Directory. Optional if you store the server ID in a file. The password is case-sensitive and characters you use will depend on the level you set in the Password quality scale.
Click Password Options. Specify a password quality scale by choosing the level of complexity for the password. By default, the level is 0, where 16 is the highest. Click OK.
o o
Select "In Domino Directory" to store the server ID in the Domino Directory. Select "In File" to store the server ID file in a file. Then click "Set ID File," select the name and path for the file, and click Save.
Note You don't see this field from the Web Administrator, as the server ID is stored in the Domino Directory.
8. (Domino Administrator only) If you chose an Internet CA in the Register Servers dialog box and you want the server to support SSL connections, click Advanced, select "Enable SSL ports," and complete the following fields: o Server key ring password -- Enter a password for the server key ring o Server host name -- Enter the fully qualified domain name of the server, for example, app01.acme.com 9. Do one: o Click the green check box to add the server to the registration queue. o Click the red X to clear the fields. 10. The server registration queue displays the servers ready to be registered. To display the settings for a server, select the server name in the queue. 11. Click one: o New Server -- To clear fields in the Register New Server(s) dialog box
Register All -- To register all servers in the registration queue Register -- To register the highlighted server in the registration queue Remove -- To remove the highlighted server from the registration queue Done -- To close the Register Server(s) dialog box. Any servers remaining in the registration queue will not be registered. 12. After you register a server, install it and then run the server setup program to configure it.
o o o o
Create an additional organization certifier ID.H Create an organizational unit certifier ID. Use Internet site documents to configure Internet protocol server tasks: o Enable the Internet sites view o Create an Internet site document o Set up security for Internet site documents
4.
5.
Action Enter the name of the organization. Enter a name different from the one used on the organization certifier ID created when you set up the first Domino server. (Optional) Adding an organizational country or region code for the country or region where the organization's corporate headquarters are located minimizes the chance that another organization has the same organization name as yours. Enter the country or region code only if you have registered your organization name with a national or international standards body. For multinational companies, you can enter a country or region in which the company has offices, as long as the organization name is registered there. Enter a case-sensitive password for the certifier. The characters you use for this password depend on the level set in the "Password quality scale" field. Choose the level of complexity for the password. By default, the level is 8, where 16 is the highest. Enter the name of the administrator who handles recertification requests. The name specified here appears in the Certifier document in the Domino Directory. If you are creating a certifier ID for an off-site administrator, enter that administrator's name in this field. (Optional) Enter text that appears in the Location field of the
Certifier password Password quality scale Mail certification requests to (Administrator) Location
(Optional ) Enter text that appears in the Comment field of the Certifier document.
The local server if there is one and it contains a Domino Directory The server specified in NewUserServer setting of NOTES.INI The Administration server
5. 6. 7.
8.
9.
Field Organizational Unit Certifier password Password quality scale Security type
Action Enter a name for the new organizational unit. Enter a case-sensitive password for the certifier. The characters you use for this password depend on the level set in the "Password quality scale" field. Choose the level of complexity for the password. By default, the level is 8, where 16 is the highest. Choose either North American (default) or International. In practice, there is no difference between a North American and an International ID type. Enter the name of the administrator who handles recertification requests. The name specified here appears in the Certifier document in the Domino Directory. If you are creating a certifier ID for an off-site administrator, enter that administrator's name in this field. (Optional) Enter text that appears in the Location field of the Certifier document. (Optional) Enter text that appears in the Comment field of the Certifier document.
Location Comment
10. Click Register.
Web Site documents Create a Web site document for each Web site hosted on the Domino server.
LDAP Site documents Create an LDAP site document for LDAP protocol access to an organization in a directory.
IMAP, POP3, and SMTP Site documents Create an individual Internet site document for each mail protocol for which you enter an IP address.
IIOP Site documents Create an IIOP Site document to enable the Domino IIOP (DIIOP) task on the server. This task allows Domino and the browser client to use the Domino Object Request Broker (ORB) server program.
Internet site documents make it easier for administrators to configure and manage Internet protocols in their organizations. For example, prior to Domino 6, if you wanted to set up a Web site in your organization, it was necessary to configure each Domino server in the domain with Mapping documents, Web realms, and File Protection documents. If you had virtual servers and virtual hosts, you had to do the same thing for them. In Domino 6, you can configure a Web Site document so that all servers and hosts use it to get configuration information for a Web site, including mapping information, file protection information, and Web realm authentication information. You must use Internet site documents if you:
Want to use Web-based Distributed Authoring and Versioning (WebDAV) on a Domino Web server. Have enabled SSL on your server and want to use Certificate Revocation Lists to check the validity of Internet certificates used to authenticate with the server. Are using a service provider configuration on your server (see "For service providers only" below).
The Domino server is configured to use Internet site documents if the option "Load Internet configurations from Server\Internet sites documents" is enabled on the Basics tab on Server document. If the option is not enabled, the server defaults to Server document settings to obtain configuration information for Internet protocols. Note When creating or enabling Internet Site Documents, you will also need to configure Internet Site Documents for protocols you are already using or those protocols may stop functioning or they may behave differently. When Internet Site documents are enabled, protocol information that was previously taken from the Server document will be taken from the Internet Site documents. Internet site documents are designed to be used as follows:
For any incoming connection, Internet site documents, Certifier documents and Global Domain documents are used to determine which organization (certifier) is associated with the target IP address. In a Domino configuration, all incoming IP addresses usually map to the top level certifier. For a specific organization and a specific protocol and a specific server, the Internet site document is used to determine which authentication controls are to be applied.
When you enter a Host name or IP address in an Internet site document, you do not gain control over which authentication controls are applied according to the IP address the user connects to. Instead, the first Internet site document located for the server and the organization is used. As a result, except for Web Site documents, you should have only one Internet site document for each organization, protocol, and server combination. For example, do not do the following: Server A has two IP addresses and you create the following two Internet site documents for POP3:
One Internet site document for one IP address with no SSL allowed One Internet site document for another IP address, with SSL allowed.
The IP address is used to determine the organization and both Internet site documents apply to the same organization. The first Internet site document that matches the server and the organization is used, in this case, the Internet site document that does not allow SSL. Modifications to Internet site documents (including the creation of new Site documents) are dynamic. The server or protocol does not need to be restarted after you create a new Site document, or after you modify or delete an existing one. Changes generally take effect minutes after the change is made. Internet site documents are created in the Internet sites view, which is used to help manage Internet protocol configuration information by listing the configured Internet site documents for each organization in the domain. Caution If you use an Internet site document to configure one Internet protocol on a server, you must also use Internet site documents for all Internet protocols on that server. For example, you cannot set up an LDAP Internet site document and, on the same server, use the Server document to configure HTTP. While most protocol settings are configured in Internet site documents, there are some settings that need to be configured in the Server document to support Internet protocol configurations. These include settings for:
Enabling and configuring the TCP/IP port. Enabling and configuring the SSL port (including redirecting TCP to SSL). Accessing the server -- such as who can access the server and how.
Each hosted organization has one Web Site document that can be created during hosted organization registration. You must create this initial Web Site document to activate the HTTP protocol. If you have multiple Web sites, you need one individual Web Site document for each additional Web site for each organization. If the hosted organization supports DOLS, the Web Site document must contain the name of the DSAPI filter file name. You must create one mail protocol Site document (IMAP, POP3, or SMTP) for each protocol used by each organization. In a hosted environment, Domino IIOP (DIIOP) can use the information in the IIOP Internet site document to define the scope of the Domino Directory used to validate users. With DIIOP, you can use any Java code running on any server on the network. If your configuration has one IP address that is shared by multiple hosted organizations, HTTP, IMAP, LDAP, POP3, and SMTP are the available protocols. For IMAP, LDAP, POP3, and SMTP users, the name provided during authentication must be the user's Internet e-mail address, so that the server knows the organization of which each user is a member. Anonymous access to LDAP is not supported in this configuration. To enable SSL for a hosted organization, you must enter the server IP address in the field "Host names or addresses mapped to this site" on the Basics tab of the Internet site document.
Note When creating or enabling Internet Site Documents, you will also need to configure Internet Site Documents for protocols you are already using or those protocols may stop functioning or they may behave differently. When Internet Site documents are enabled, protocol information that was previously taken from the Server document will be taken from the Internet Site documents.
Action (Optional) Enter a name that differentiates this site from all others that you create. This name appears in the Internet sites view in this format: the type of Internet site, the descriptive name, and the host name or address. For example: Web Site: MyWebSite (www.acme.com) If you do not enter a name, the default name is the type of Internet site document with the host name or address appended. For example: POP3 Site: (www.acme.com) For hosted environments -- The default descriptive name is a combination of the hosted organization name with the type of site document appended. For example, a Domino IIOP site with a hosted organization name of Acme would Acme IIOP Site.
Organization
(Required for all Internet site documents) Enter the name of the registered organization that hosts the Internet site document. The name must correspond to the organization's certifier. Note For Web Sites set up in a non-service provider configuration, this name can be any suitable word or phrase.
Use this Web site to handle requests which cannot be mapped to any other Web sites
Yes -- This Web site processes incoming HTTP requests if Domino cannot locate the Web sites that were entered in the "Host names or addresses mapped to this site" field. No (default) -- This Web site does not process incoming HTTP requests for which Domino cannot locate a Web site.
(Required for all Internet site documents) Enter the target host names or IP addresses that trigger a connection's use of this Internet site document. If the site is set up for SSL, you must specify IP
addresses. For hosted environments -- When creating Domino IIOP Site documents, the first host name IP address that is on this list will be used to advertise DIIOP's service creating diiop_ior.txt. Therefore, it is recommended that each Domino server have its own Internet site document. Domino servers that host this site (Required for all Internet site documents) Enter the name of one or more Domino servers that host this site. You can use any variation of distinguished name (for example, Server1/Sales/Acme) as well as wildcards (for example, */Acme). The default is (*), which means that all servers in the domain can host this site. If you leave the field blank, the Internet site will not be loaded on any Domino server.
4. 5. For all Internet site documents, complete the settings on the Security tab. Some Internet sites require additional configuration. The table below indicates the Internet site documents that require additional configuration, and the locations for settings in those documents for enabling additional configuration information unique to those protocols.
1. 2. 3.
From the Domino Administrator, click Configuration - Web - Internet sites. Choose the Internet site document to modify, and click Edit Document. Click Security, and complete these fields:
Enter (Applies to all Internet sites, except IMAP and POP3) Choose one:
o o
Choose one:
o o
Yes -- To require a user to authenticate with the user's name and Internet password to access the site No -- To not require name and password authentication
Yes -- To require clients and servers to use the SSL protocol to access the Web site No -- To allow clients and servers to use SSL or TCP/IP to access the Web site
SSL Authentication Anonymous (Applies to all Internet sites, except IMAP and POP3) Choose one:
o o
Yes -- To allow users access over the SSL port without authenticating with a name and password No -- To deny users anonymous access
Choose one:
o
Yes -- To require a user to authenticate with user name and Internet password in order to access this site using SSL No --To not require a name and password
Client certificate
Yes -- To require a client certificate for access to this site No -- To not require a client certificate
SSL Options Key file name Protocol version Enter the name of the server key ring file. Choose one:
o o
V2.0 only -- Allows only SSL 2.0 connections. V3.0 handshake -- Attempts an SSL 3.0 connection. If
o o
this fails and the requester detects SSL 2.0, attempts to connect using SSL 2.0. V3.0 only -- Allows only SSL 3.0 connections. V3.0 with V2.0 handshake -- Attempts an SSL handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible. Negotiated (default) -- Attempts an SSL 3.0 connection. If this fails, attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions.
Choose one:
o
Yes -- To accept the certificate and use SSL , even if the server does not have a certificate in common with the protocol server No (default) -- To prohibit the acceptance of SSL site certificates for access
Choose one:
o o
Yes -- To allow clients access, even if the client certificate is expired No -- To prohibit client access using expired SSL certificates
Choose one:
o
Yes -- To check the certifier's Certificate Revocation List (CRL) for the user certificate you are attempting to validate. If a valid CRL is found and the user certificate is on the list, the user certificate is rejected. No -- To not use Certificate Revocation Lists
Choose one:
o
Yes -- To use expired but otherwise valid Certificate Revocation Lists when attempting to validate user certificates No -- To reject expired Certificate Revocation Lists
Choose one:
o
Yes -- If the attempt to locate a valid Certificate Revocation List fails, proceed as if "Check for CRLs" is set to No. No -- If a valid Certificate Revocation List for the user certificate is not found, reject the certificate. If "Trust expired CRLs" is set to Yes, an expired CRL is valid. If "Trust expired CRLs" is set to No, the authentication will fail for every user certificate for which a matching valid CRL is not located.
SSL Security SSL ciphers Click Modify to change the SSL cipher settings for this site document. These settings apply only to SSL v3. SSL v2 ciphers cannot be changed.
Enable SSL V2
4. Save the document.
Note The HTTP task is backward-compatible with the Web Server Configurations view.
Action Choose Start - Programs - Lotus Applications - Lotus Domino Server. Enter the path for the Domino program directory. For example, if you installed Domino in the /opt directory, enter: /opt/ibm/lotus/bin/server
IBM i
Use the following IBM i command: STRDOMSVR SERVER(servername) Where servername is the name of you Domino server
quit It may take ten seconds or more for the server to shut down.
IBM i
For IBM i, in addition to Quit and Stop, you can also use the following IBM i command: ENDDOMSVR SERVER<servername> Where servername is the name of you Domino server
o o o o
Start Domino as a regular application -- Starts the Domino server as any application would be started. This is the traditional method for starting and running the Domino server. If you choose this option without selecting either of the check boxes on the dialog box, the next time Domino starts, you are prompted with this dialog box again. If you choose this option and you select the "Don't ask me again" check box, you are not prompted with this dialog box again and Domino always starts as an application. If you choose this option and select the check box "Always start Domino as a service at system startup" Domino runs as an application during the current session. The next time you start the server, Domino runs as a Windows service. Optionally, you can also choose neither of the following, one of the following, or both: Always start Domino as a service at system startup -- Select this check box if you want Domino to always start as a Windows service. Once you select this option and click OK, you can not change your selection using this dialog box. Don't ask me again -- Select this check box if you do not want to be prompted again when the Domino server starts. After you select this check box and click OK, you will not be able to reset your selections using this dialog box. Click OK.
When run as a Windows service, Domino runs as any other Windows services runs. Some of the benefits associated with running Domino as a Windows service are listed below.
If you select "Automatic" for starting services, Windows services are started when the system starts. Windows services can be controlled via the Windows service manager. The Windows service manager can be used remotely. Services continue to run even when you log off the system.
Click Chat and you can choose from the following options: Chat with -- Open a chat with the person whose name is currently selected in the open document or directory. Add to Instant Contact List -- Add the selected person's name to an instant messaging contact list that you choose. Show/Hide Contact List -- Toggles between displaying the names in the contact list and hiding the list.
Prerequisites
The DPI wizard requires that both the Domino server and WebSphere Portal server be installed and set up.
WebSphere Portal server 6.0 with security enabled, configured with Domino LDAP, not clustered, and with no support for IBM Access Manager for e-business or Computer Associates eTrust SiteMinder . Domino LDAP server, configured as the LDAP server for WebSphere Portal 6.0, running Domino release 7.0 or more recent, with the LDAP and HTTP/HTTPS services enabled. The wizard communicates over HTTP, but specifying an HTTPS port as well allows for a secure transmission of the DTPA token that the wizard copies. If security is enabled manually on the WebSphere Portal server 6.0, instead of enabling security with the Advanced Configuration wizard on the WebSphere Portal server, you will need to restart the WebSphere Portal Administration server before you run the DPI wizard. To prevent having to manually restart the WebSphere Portal Administration server, be sure to enable security in the Advanced Configuration wizard prior to running the DPI wizard. All servers must be behind the same Internet security firewall, in the same Internet domain, and if they are Domino servers, in the same Domino domain. To run the DPI wizard, you must be listed as an Administrator in the Server document in the Domino Directory (NAMES.NSF) on the Lotus Domino LDAP server.
Caution If you already have a Web SSO configuration on your Domino servers, be sure to read the "Consideration for existing SSO environments" section prior to running the wizard.
You can review the log file dpitasks.log generated during the configuration. The Dpitasks.log file contains the wizard history. If the DPI wizard fails, use the View Log button to review the content of the log file. Log files are stored on the Portal server at <PortalServerHome>/log. When the wizard completes, the log files are zipped into a file with this naming convention: DPIDebug_yyyymmdd_hhmm.zip, which can be found at <PortalServerHome>/config/wizard.