Tuesday, November 17, 2020

The Resiliency of HCL Domino and how to get Multiple SSL Certs to work with it

First, thanks go to Daniel Nashed who told me it could be done and that in R12 it will be even easier! I asked him because I thought the HCL documentation was a bit vague about if it would work as I needed.

Second thanks go to Detlev Poettgen and Ulrich Krause of the midpoints LE4D (Let's Encrypt 4 Domino) team for support while I set it up and providing the community an awesome SSL certificate tool that keeps you rolling SSL certs for free. The link includes the request form to get it.

Lots have been posted about the LE4D and for whatever reason, I had not gotten around to it.

Part of the reason is the resiliency of Domino, will get to that in a minute. But there was a technical limitation since removed in Domino 11 related to how Domino handled the SNI(Server Name Indication). Prior to R11 you can only use one SSL certificate per IP address in Domino. Since I run about a dozen domains on my server, this was not helpful, but now, it works quite well.

What I found along the way was, if HTTP is turned on, it is pretty hard to screw up a website. IP, name, old name, odd folder, missing file, Domino will still publish something. You start working backward to figure out what is going on and along the way end up with a stronger configuration. SSL troubleshooting is a little harder since we do not get specific error messages out of the server.

And this is what happened to me, but perseverance won out.

I requested the LE4D tool (link above), which is really a Domino application and I added it to my Domino 11.0FP1 Windows server.

Did I mention it is Free! As in beer, well when we are at evening events at conferences.

Before you get started, you need the ENABLE_SNI=1 added to your notes.ini on your server as explained in the HCL doc at the top of this post. The document explains that your configuration may need to be tweaked, mine did, and that you need a default web site configured or at least one web site with an IP address configured to use as a starting point. More on this later.

NOTE: On IBM i, SNI is supported natively on IBM i enabled for SSL Plus for HTTP and not for System SSL API.

You can follow directions in their PDF so I won't waste time on those, but the guide provided expects you to know a  few things which I will itemize below in case the LE4D teams want to update their help doc. 

NOTE: Domino 901FP8 or newer is required due to a reliance on JVM 1.8. Also, if not running on R10 or R11 you will need the KYRTOOL file and the pdf helps you to get it.

Almost everything is built into the application, even a run and sign button so you can do everything from within the LE4D application.

While it is possible to create one settings document for all your domains, I found it better to create one for each domain. It makes troubleshooting easier, but more importantly, because I leverage separate folders for each domain, it allows me to customize the HTML HOME DIRECTORY field which became a problem.

The Let's Encrypt hash codes and certificates need a place to go under the domain so it can be updated automatically, but also to preserve each domain's specific certificates. Otherwise, as I saw, all my domains ended up using the same cert which would not work in the real world, although fine in testing/staging servers.

Also, if you have multiple domains, you need to name the KEYFILE NAME field something different for each, or else all your certs will get written over and that helps no one.

Once you have filled in the setting document, they provide an example in the PDF, save the document. Then enable it so it can run.

I did not have to do the IKEYMAN part on page 7 of the PDF which may be for prior to R10 servers or Linux, not sure.

Set up the automated process to run the program document to keep your server automatically SSL up to date.

You can manually run the agent from their database from the button in the top right corner.

There is an agent log at the bottom of each setting document which helps to troubleshoot it as well.

I found that when I clicked on Run the client would hang for about 2 minutes while it ran and then would come back and either had worked or failed.

Now, this is where Domino was stubborn or resilient, depends on how you view it.

I could not get SSL to work at all. The log showed the cert was downloaded so what was wrong?

This is when I asked Daniel what I was missing and he pointed out that my DEFAULT SITE needed an IP Address. BUT when I set a default site, there was no way to add the IP Address. Seemed odd to me, so I worked backward. 

In my case, the default site is Traveler as it is not going away, even if some other domains get retired.

A second auto-generated internet site document is created and that one gets the IP address. You also need to add the correct SSL to this 2nd document so your Traveler devices can connect.

The next thing I had to do was manually add the correct Key File Name SSLFILE.KYR file in the security tab under each domain's Internet Sites document. And then run HTTP Refresh at the server console. 

And then it worked. Prior to fixing it all, HTTP worked fine and SSL thought it worked but really just errored out or said I was using a different domains certificate. Domino is pretty resilient to keep going even though parts were wrong.

2 domains I had to try a few times, maybe it was network issues, but eventually, all got done and updated. I had some typos and used the wrong http folder name in one case, but if you have patience you can find all your mistakes and fix them like I did.

Thursday, October 29, 2020

Our Collabsphere Session about O365 from the viewpoint of an Admin and a User

Hogne Pettersen and I gave this session today at Collabpshere.



It is a mix of good, bad, bewildering, and impressive views about the whole O365 story, solution, and parts within it.

We could spend all day discussing this and are happy to do so if anyone wishes to ask for our help.

For more details, follow us on our Twitter accounts at @LotusEvangelist and @NordicCUG

My Collabsphere Session on More Efficiently Working From Home with HCL Products

 


While my session had a small group of attendees given the great sessions I was up against, the beauty of an online conference is everyone can catch other sessions afterward.

It was great to be a part of MWLUG again now known as Collabpshere.

Monday, October 5, 2020

Will 2021 Include You? Or me? As HCL Ambassadors

Please, in this time of need, I and the other HCL Ambassadors are asking you to stretch out your typing hand and give us one more effort.

No Zoom is required. Honest.

It has been a tough year for everyone, we lost 2 uncles, many people lost other relatives, friends lost jobs, companies closed, and yet, here we are, knocking on 2021 to let us be an HCL Ambassador.

What do we do, when we can't see people? When we can't speak at conferences in person? When we can barely get on a plane (where I am we are locked down, again).

Ambassadors go above and beyond their day jobs to do some of the following:

  • Bring light into the darkness when involved in competitive discussions
  • Save servers and applications from the misguided hands of users
  • Run online user group meetings with Zoom? No, Sametime Meetings!
  • They come up with ideas to help HCL get the word out better or offer up training ideas or just hold "open office" time to let people ask questions.
  • Write some tips, hint follow #HCLAmbassadorTips on Linkedin, Facebook, and Twitter
  • Produce some videos about solutions and products
  • Blog, tweet, or podcast not only in their native language, I did 3 languages this year, but many Ambassadors speak multiple languages, and they are awesome beyond imagination
  • Dream up ideas for "what if we could...."
  • Spent WAY too much time, unfortunately, saving many of us, and many of us saving our customers with their help, from the ahem Cloud divorce in July, I owe a few people drinks, if we ever get together again
  • Answer questions in Slack, Skype, Twitter, Linkedin, Facebook, HCL forums, and numerous other places and are not satisfied until some resolution is found
  • Help each other, to better help YOU our customers, after all, we are all global and some of us stretch most of the earth in our workday
I am sure your Notes/Domino/Sametime/Connections/Traveler/Verse/Volt/Nomad admins and developers do much of this too inside your organization, right?

Your job is to reward them, by nominating them https://bit.ly/33uANFQ, us, or me, so we can keep doing great things magically for you in 2021. 

Without our advanced warnings and meetings with HCL, we can't provide you with the full first-class service you have been enjoying. 

This is the biggest benefit that we gain by being Ambassadors, in my eyes and if you agree, please click on this link https://bit.ly/33uANFQ and nominate your SuperAdmin or SuperDeveloper.

Thank you for your support,
See you in 2021 in-person I hope at one of these which have gone virtual for 2020:
Collabsphere, Engage, SUTOL, C3UG, NCUG, SNoUG, RNUG, DNUG, Let's Connect and many others I am forgetting but might be local to you in your region.






Sunday, October 4, 2020

Skills Sunday: Traveler problems since 11.06 iOS Came Out? Help is here

Note: Edited October 6th with more details, see the end of the post.

Hello everyone, I know I don't blog so much about technical items, I have moved away from much of it towards product marketing and specifically CI, Competitive Intelligence.

But I have a few clients still that I help and this came up this week and as people posted in FB and other places about it, figured I should help the greater community.

If you have iPhone users already on Traveler, this is not needed for you....yet. These people are all fine, for now, and even using 11.06 because until it is a fresh uninstall and install, it relies on the "older" authentication method.

If you have a person who got a new phone in the last week, or maybe was a new onboard, then you were probably hit by the Traveler is not working problem.

I do not believe it matters which version of Domino or Traveler you run on the server-side. Of course, you should be on the latest version of Traveler, 11.01 Fix Pack 1 which happens to also run on Domino 10.x, not just R11.

The real problem is on Sept  29/30 release 11.05 was removed from the Apple App Store and was replaced by 11.06. 

No big deal, right, apps get updated all the time.

BUT

Not so fast.

HCL slipped in something which only was posted 2 days before the update. Take a look at this technote which in its own words, was posted 6(!?) days ago.

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0082562&sys_kb_id=792782151be7d8d0beab64e6ec4bcbff

Starting with HCL Verse iOS 11.0.6, support was added for Certificate Based Authentication. There is currently only one mode supported: the server (or access gateway) requires the client device to provide a certificate only. Requiring a certificate and userid/password is not supported. Additionally, this version of the client does not alternatively support basic authentication in the event the certificate-based authentication fails.

Ok, like any other admin I figured I would follow the paper trail of tech notes which would tell me what to do to fix this. 

NOTE: NOTHING in the above technote is helpful, aside from the paragraph quoted.

Now I go searching on this Certificate Based Authentication and 11.06 I find this great session from my friend Milan Matejic (go follow him on Twitter, @Milan_Matejic90) which he gave at the last Engage conference before the whole pandemic started. His slides are here, and a video too and he provides a great example and way to create and merge this certificate.

https://milanmatejic.wordpress.com/2020/03/30/engageug-implementing-certificate-based-authentication-for-hcl-traveler-access/

BUT this is overkill, at least it was for my client. 

So try the override option below first, then if not working, go back to Milan's.

The other thing you may find is this Admin Documentation: 

https://help.hcltechsw.com/traveler/11.0.0/Android_CBA.html

This includes a freshly added Note, with the article at the end of it, the first technote up above! So circular guidance, please HCL Documentation team fix this:

Note: Starting with HCL Verse 11.0.6 for iOS, limited support was added for Certificate Based Authentcation. For more information, see this article.

What you really want, is the technote below, that HCL support sent me after I was trying to figure out what was going on, this worked for my client very easily.

How to OVERRIDE form-based login for the /traveler URL: 

 https://help.hcltechsw.com/traveler/11.0.0/httpauthentication.html

Along the way, we figured out the client also changed their notes redirector and renamed the SSL kyr file so the steps we followed caused more oddities, but I fixed those and now can log in fine. So check everything along the way.

The question is which is the right way to go? Should we follow Milan's session or do this override? I am still digging into it but feel free to comment and let me know what you think, and if this helped you, let me know too.

Oct 6 Update: After discussions with HCL, they will be updating the documentation to be clearer about the changes and what is required. 

You can continue to log in with just name/password, if you follow the overriding guide(the one that worked for me). 

What they were trying to say is IF you needed or wanted the client certification (which is different from an SSL certificate and also NOT your notes id file) then you would have to follow the other links and possibly use Milan's session as your guide and that down the road it may be preferable.

Remember this is ONLY a client-side change, nothing changed in how the server works as the server is flexible, which is why we love Domino.

Tuesday, March 3, 2020

Domino Administration Wizardry - Dark Arts Edition

Here are the slides to my session I just completed at the Engage conference.
This session was and is aimed at junior admins that need to find better, faster ways to do some redundant tasks.

If you have any questions just ask me. The code used is not perfect and alternative options do exist but for an admin with little to no development knowledge, I hope this saves you time and provides reasons for your users, and manager, to love you even more.

Tuesday, January 21, 2020

Will I See You at Engage for my Session?

For the 3rd time in 3 years I will be presenting at the great Engage conference.

Together with 400 attendees, I will be one of the 38 HCL Masters speaking at the event.


This time I am extending even more Domino Administration fun culled from real life every day client headaches surprises by incorporating some LotusScript code and other bits of development to make your daily admin lives better, faster, easier so you can get to the free beer at Engage quicker.

Tuesday, March 3 13:30 - 14:30 Room G: Knoefzaal
Ad09. Domino Administration Wizardry - Dark Arts Class

Bring your wands(laptops) and let's create some magic (scripts, code) so you can go home a 1st class Wizard. 

ALL code discussed, and shown, will be made available in the slides so even if you are a nascent developer like me, you can do this too, no prior coding knowledge is required, but you will need the Designer Client for some items.

Go signup and attend this annual conference that leaves you wanting more every time. 
If you want need to graduate and need me to issue O.W.L Domino Certificates, let me know in the comments or via social media and I will see what Hermione can conjure up for you so you can prove your completed the course.

Wednesday, January 1, 2020

One HCL Master's Plans for 2020

I was not kidding when I said I was surprised to be named an HCL Master.
I am very honored to be part of the 1st full class of Masters.

For me, it was a slow/low year especially the last quarter due to losing my grandfather and having to back out of Soccnx/Let'sConnect Munich at the last minute. I know, I say this every year, but I wonder, with 100s of people out there being nominated, was I really deserving? Why were the others  not more deserving? Surely some of them deserved it too. If you were nominated and did not make it, I am happy to try to help you get it next year. Once, we were all in your shoes but we all took that giant leap.

Without knowing the judging committee, I can presume some brand awareness for me for all these years, and maybe I was #101, but like the old joke, what do you call a person that finishes last of his class? A graduate, maybe that was me this time, #101.

So, for 2020, I am doing something substantive, so at least I can feel like I am repaying HCL's belief in me, from my past, to help the future. This plan involves quite an effort upfront, but I think, if others joined me in doing it as well, we could gather some serious awareness back to the products we love, even the one they refuse to mention as if it was Voldemort reborn.

Remember when we used to blog every day? Yeah, me too. But we float in and out of various social worlds, crowds, friends and time is accelerating as we get older.

With this in mind, I am in the process of setting myself up to be able to push out a new tip, hint, idea, download or benefit for users, admins, and if it is possible in such small textual epistles, devs.

Every day of the week.

Every day of this year, all 366 days of it.

Yeah, I may be off my rocker a bit, but this was one of the ideas I pushed to Richard, Andrew and a few others, and figured I should see what I can do with it.

Each day of the week has their own topic as shown below, posting times will vary so I can gauge interest and traction plus different social media places require different formats so I will start with Twitter and then Linkedin, from there will see which way to go:

  • Monday - Domino
  • Tuesday - Sametime
  • Wednesday - Clients
  • Thursday - Traveler
  • Friday - Fonts (UI/UX but that doesn't start with an F), Folders and Files tips
  • Saturday - Weekend tips for admins and users
  • Sunday - Fun stuff day. Why post on Sundays? Because in the Pacific Rim it is a work day already, as it is in Israel where I reside these last 5 years. 
I admit to not being a Connections guru so I will let someone else provide those tips.

Verse, Nomad, Volt, the unnamed N client and some other item may pop up at one time or another.

Business Partners that want to sponsor posts or have some interest in a similar series for your own products, let's talk, after all 366 days is a lot of things to post, and I can't talk about Engage or Let's Connect every day. (User Group events I am happy to post for anyone that reminds me about them)

Most tips will be obvious to my fellow HCL Masters, but to all of the new and old admins/users/devs  out there, hopefully you will pick up something new that spur you to think out of the box about how to help your users and company. Then again, I have a treasure trove of history .ntf's, graphics and other things to let people download because how else do we give back to the next group behind us?

Of course I will also blog erratically when the muse visits me.

To the haters, deserters, friends that wonder why I bother, what can I say, hire me, and show me something better to champion. If I do this for free, imagine what I can do for your brands with a budget. My list I gave Richard had 30 other ideas.

My hashtag for these is #HCLMasterTips and like my FudBuster Friday posts a few years back, feel free to hit me with any ideas or things to cover and I will give credit to you for it.

Happy New Year Everyone