Thursday, January 28, 2010

My LS10 Speedgeeking Session

Webadmin to the Rescue...had a better name but they made me change it.

So simple question: Why did Lotus create webadmin in the 1st place? Answer during this post. Hint: NO admins got it right.

So in the beginning Iris created a Java client for admins in R5. Let's just say it was a bit raw.
R6 came out with a better more practical client, not quite on par with the admin client itself but a great step in the right direction.
R7 saw a huge jump to be in the 90% range of equality between the 2 versions and R8 has brought us to maybe 95%. I'd say 100 but I am fairly sure something is missing. Someone from Iris give me some insight and I will update this.

Anyway, so now we have webadmin and it is good. Real good. So good you are crazy if you don't use it. It really only takes a minute or 2(for the advanced benefits) to be setup. I did it 12 times in an hour, so no excuses from now on you lazy admins.

So why should you use webadmin? To start the Admin client is not multithreaded. What I mean is one cannot open multiple servers at the same time. After enabling webadmin you can open a browser window, and open as many servers as you need. I know some of you (developers probably) are saying "Why would you want to do that?"

Well, every time I go into a new client site and am asked to analyze the site my first thought is replication problems. How are you going to check each database for different versions and fix it easily. Sure you could check the database catalog, but usually that also is not up to date or running properly. Times have changed over the years and different ways exist to learn about your environment but bad administration continues. Just ask Paul and Bill and see/hear their Worst practices session at Lotusphere.

Also this presumes you want webadmin to be functional (create IDs, certify IDs, etc.) otherwise you could just use it by itself. The steps below will let you work when you are on vacation and don't have a laptop and Notes client handy or from your local pub(yes, I do travel with NOMAD, the Notes on a stick, with admin client, just in case with ID files and VPN software)or in my case from my smartphone.

The Basics:
Webadmin is created, as I was reminded by my attendees the first time HTTP is loaded. You can also create it from a database template (Domino Web administrator)...just in case. Now you may want to adjust the ACL on the database to include you as the admin or your admin group with Manager access, if you are not listed already. It was pointed out to me that Full Access Administrator will let one log in from the web without being listed in the ACL. This of course is impossible as Full Access Administrator is purely an Admin client function/feature, I tested this to make sure just in case with no entry listed and of course was denied access. I was worried for a few minutes.

However what they probably were referring to was this:
IBM® Lotus® Domino® automatically sets up default database security when the IBM® Lotus® Domino® Web Administrator database (WEBADMIN.NSF) is created for the first time. At that time, all names listed in either the Full Access Administrators or Administrators fields of the Server document are given Manager access with all roles to the Web Administrator database.

You should plan on having your file easily accessible and the password of course. While you are at it, check the expiration By adding the cert ID to the webadmin file you as the admin will be able to create IDs, recertify user IDs and a bunch of other fun things.

Oh and you need the Admin client to do the next steps. Sorry Mac and Linux people.
If that didn't spark your brain to answer the question above, yes the webadmin clients were created because some customers of IBM did not use windows and the Admin client is a Win32 client. There are probably some more proper reasons, but I will stick with this one.

Enabling Webadmin:

The webadmin database resides in the data directory as with most databases.
You can adjust the ACL before or after enabling the database as discussed above.

In the Admin client go to the Configuration tab.
Then in the Right column select Migrate certifier.
An amazingly scary popup comes up saying:
Webadmin and Certificate Authority
you are about to start the ominous Certificate Authority or CA process. Don't get upset, you are doing nothing of the sort. Ok, well, sort of, but ONLY for the Webadmin client, NOTHING else. CA deserves its own session at Lotusphere (I think it has been covered previously), too much to discuss in a 5 minute Speedgeeking session or a blog post. As Douglas Adams wrote about the Earth, this is "Mostly Harmless" and let's continue on.

Now go find your certifier ID file, enter the password and then click next.
When you see the next screen:
Webadmin configuration screen
you first select the server you want this to administer. A nice drop down shows all your servers.

The next line displays the name of the database which to be honest you should just leave alone as nothing else has this name with an ICL (Issued Certificate List) extension except for CA process related items. (feel free to add details those of you who are more granular than I or blog about it and link to this)
Then select an ID (more secure) or the server ID (less secure) to run the encryption. If you have a generic admin ID you use to sign databases use that one, else use the server ID, in this case only 2 options exist. Never assign it to your ID as you will create havoc should you move on from your organization.

Next you should see your ID you logged in with in the field at the bottom. Add your server names to this list to ensure all servers are ready to go with this access.
The Web administrator, as well as the server on which the Web Administrator database resides, must be listed as an RA for that certifier.

NOTE: For some unknown reason IBM neglected to put the check box picker here so you will have to go back and forth to add all the servers.

There is another tab where you can add how long you want this to stay in effect. Timing is everything so if that is acceptable fine, if not adjust accordingly.

And then click OK.

That's it. AdminP takes over and after a few minutes of processing you will be good to go.

This was not the end all be all of Webadmin nor CA just to show that it can really be done very easily.

For a simple list of the way to do this, see David Hay's post.