Friday, November 18, 2022

Welcome to 12.0.2, Please Uninstall Your 32-bit Notes Client Edition

 

32 to 64 bit HCL Notes upgrade error

I just got back from the HCL Factory Tour in Milan, will post about that next week, but first, I need to explain this.

As you may, or should know, HCL created a 64bit client that is now available as of 12.0.2. Yesterday it appeared on Flexnet.

I asked in Milan what HCL did to help customers upgrade from their 32-bit clients to the 64-bit one because, in the beta, one would get the error message above when trying to run the installer.

2 different HCLers told me you could just install one over the other, but it is not recommended.

I pointed out that the beta said one could not, but they insisted.

Well, I am here to point out you can not install over the 32-bit client to reach 64-bit nirvana.

The error still appears.

So, off I went to uninstall 12.0.1FP1 32-bit client.

I did this on my personal server, which doubles as my test client, then started the 64-bt install.

One should run the NICE tool, yes there is a new NICE64 tool, and if you wish, restart your PC before running the 64-bit 12.0.2. installer. But I did not.

If you have to ask why HCL is doing this, then turn in your IT badge, it has been a long time waiting for this to arrive.

Running the HCL Notes 64-bit installer


Now the installer is free to get moving. The entire process, including downloading the code, took under 30 minutes and that was with me trying to install over my 32-bit client, grabbing the screenshots, writing this post in between clicking ok, etc.. Your time should be about 10 minutes.

Completed HCL Notes 64-bit installer

By the way, the 64-bit client download file is 1GB. Domino is only 800MB, just sayin'. It used to fit on some floppies.

Anyway, the bottom line is if you are doing a client/laptop/OS refresh soon, you need to go to the 64-bit client.

It was implied by HCL, well strongly hinted, that the next version would be the last 32-bit client, so you need to start planning for it.

There will no doubt be more posts by people pointing out aspects that still need 32-bit parts like Jesse did here: https://frostillic.us/blog/posts/2022/11/17/notes-domino-12-0-2-fallout.

Other Ambassadors have posted in our private chat about various issues the 64-bit client has with some application items, more info will be coming, no doubt, so developers, your time to test is here.

You may also need to think about which version of Microsoft office you installed and if anything depends on it, so test it, but you should have installed the 64-bit of that as well. This is from a conversation I had with a customer on the way to the train and airport which made me wonder what might happen.

When complete you should see this in the About Window Box


So caveat emptor and start testing and preparing your plans and progress.

Starts right up, all of the .nsfs I had, and the workspace is there just like before. I did not clean out my notes.ini, but you should or just strip it down to the basics and let it update, but that is for another post.

As always, feel free to reach out for help from me, fellow HCL Ambassadors, your Business Partner, or HCL rep.

Happy Installing! Now on to my server update, Traveler, Nomad, Verse, and Ontime Freemium Group Calender updates(their video here: https://www.youtube.com/watch?v=JxCIEQ5fjOQ). I will post updates once each is done and how long it took to do them.

Server Update Info: Including shutting down Domino, installing the update, restarting the server, and then all the server updates running, the total time was 6 minutes until I could access it from my client. Naturally, in full corporate environments, your timing will vary.

Traveler Update Info: Traveler 12.0.2. now enforces that you shut down Domino before installing it. So, although the actual time to install Traveler is a minute or 2, the process takes longer due to the shutdown, and then I did a clean reboot as well.

NOMAD Update Info: Delayed, no 12.0.2 documentation has been indexed yet, so there are no details about it beyond downloading the 1.0.5 code which I got in beta, unzipping it to the domino root folder, and running NOMAD as a server task. Product Management says 1.0.5/12.0.2 version is not up yet on Flexnet. Will update this once available.

Verse Update Info: Although I thought it would be inside Domino 12.0.2, it seems that is not the case, so it is still a separate update. The current version is 3.0, which you can download from Flexnet. Follow these instructions, https://help.hcltechsw.com/verse_onprem/3.0/admin/vop_configuring_server.html. You should have it up in about 10 minutes if you have all the other parts in place. If not, you may need an hour or so to configure whatever you are missing. URL looks like this example if you need to run in parallel to iNotes: https://keithbrooks.com/verse

Ontime Freemium Group Calendar Info: It will probably get done over the weekend.

Thursday, November 3, 2022

SnTT - Which Database has an FTI?


Earlier this year, Martin Vogel and I gave a session at Engage titled "Teaching Young and Old Dogs New  Tricks: Notes & Domino Shortcuts You Wish You Knew," It was a great session with a filled capacity of the room.

But I was neglectful; I had planned to post some essential tips in my blog at the time but did not get to it. I will try to make up for it over the next few weeks.

The first one that not everyone may know about is how to find out which databases have a FTI, Full Text Index.

Here is the scenario:

You are asked to build new servers for your customer or organization and while looking at the old server, notice some indexing on some databases. This causes you to think, how do I find out which databases have an FTI so they can be rebuilt on the new server?

Good question, right?

I will first provide an answer for anyone not on R12 and then post the R12 way.

Pre R12 FTI Details for any given Database

  1. Open the catalog.ntf in the designer client
  2. Open the Views List
  3. Edit the Applications\by Server view
  4. Insert a column where you want it, and name it FT Index
  5. Change the field for this new column to DbFullTextIndexed
  6. Set the column to sort both ways
  7. Save your changes
  8. Replace the design of your catalog.nsf

NOTE: This presumes all your databases are set to show in the catalog.nsf, so not 100% foolproof

The R12 way to see FTI Details for all Databases on Your Server

Open the Administrator client
Go to the Files tab
Click on File-Preferences-Administration Preferences
Select the Files Tab
Add the FT Index (see screenshot below, FT Index is the last one in the list)
Reorder the column location, or it may end up in the 27th column
Restart the Administrator client to see the change

If you need it, you can copy and paste the full view into Excel if that helps you track what you are doing.


Pretty cool if you ask me that this got added in R12. I had asked for it in an Aha request, and it got done, so Aha is listened to by HCL, here is the link to that request:

It was the first item added to the column list since before R9 at least.

Thursday, October 27, 2022

How to Enable, or Disable, TOTP for HCL Traveler and Verse

 After a discussion with fellow HCL Ambassador David Hablewitz, I realized I did not fully explain the HCL Traveler/Verse (will just refer to it as Verse) and TOTP  issue in my blog post the other day, 

I intended to explain the pros and cons of using TOTP and Verse, but I neglected to explain how to enable or disable TOTP and what you do if you have one server or separate servers.

The how-to is what this post is about.

It is pretty easy to do in a proper environment where Verse sits on its own server.

You probably see something similar to this in your Internet Sites for the Verse server (ignore the 404 error page I was testing):


If you double-click on the head item on the Web Site, you will see where you turn TOTP on or off. I am presuming you have set TOTP up already. The option is there because of the names.ntf template changes in R12 and R12.0.1.


If you don't want TOTP, change the selected option to "Yes" instead of "Yes with TOTP."

Simple, right? 

What if you are a smaller organization that relies on one Domino server to do anything and everything? What if you don't want Verse to have TOTP, but access to applications, or mail, should have TOTP?

My suggestion from a security perspective is to create a new URL for Verse. It is easier, under R12, for you to create a unique URL for your domain and get a Let's Encrypt SSL certificate for it for free.

Sidenote: I understand that you could leave it set up as it is above and turn TOTP off for the default website. You may do this because you don't want to field tons of help desk calls from users who can't change a URL, but this route would leave your whole server in a less secure mode.

Decide on the new URL, traveler.company.com.Set it up in your internal and outside DNS.

Create the new Internet Site document for the unique domain. It may look something like this:







Don't forget to edit your Traveler URL section of the server document to accommodate this change.

And now you can restart HTTP and Traveler, and you should get prompted for TOTP at your domain, but not with Verse once outside DNS changes go into effect. So I suggest you set it up and wait till the exterior works, then cutover internally.

You will need to create all the docs, so it looks like this:


And users may have to reinstall Verse to change the URL.

Once set up, you can turn on TOTP for Verse down the road if you wish. This also lets you move the Verse server easier in the future because it is no longer tied to your server, just the URL.

Tuesday, October 25, 2022

Customizing the TOTP Login Form and MFA Pages

Continuing the extension of my TOTP session from Collabpshere, I wanted to expand upon modifying the Login Form and MFA page for those who need it and want to know how to do it.

The truth is I covered this in my 2021 Collabsphere presentation but since learned a few things which I want to pass on to all of you.

In 2021, I created this flowchart explaining how to add your corporate logo to the background logo.

Editing TOTP Background with your logo
How to add your company logo to the TOTP Backgroud graphic.

Of course, you could use any graphic, just figure out the scaling side, but I found it easier to just add my logo to the existing MFASetup1.png file.

There is a style.css file (Under Resources-Style Sheets) where if you find this section, you can change the graphic to whatever you want by renaming the png file and, of course, adding your graphic to the Resources-Images section: 

Today I found it was not letting me add a company logo to the .png with the 12.0.1 template. I had previously done it with the 12.0 template. So YMMV.

So how do we let people know it is the company's MFA login page?

I edited the form called $$LoginUserFormMFA in the domcfg5.ntf. If you don't do it in the ntf, you will lose your updates when the design task runs.

I replaced the HCL Domino text with the company name and added MFA Login Page.

While editing the text, I added the details below, which is helpful since the default page tells the user nothing.

MFA Instructions / Help

To set up and start using MFA take the following steps:

Step 1: Enter your Username and Password and press the 'Login' button.

Step 2: Follow the prompts to set up Multiple Factor Authentication, our preferred authenticator app is Duo.

Step 3: Once you have set up the MFA, return to the login page. Enter in your username, password, and MFA Token via your authenticator

Step 4: Click the Login button.


Naturally, you can add whatever text you wish and probably add a popup help window, among other things, but I am just a simple admin.

 Don't forget to save your changes.

While still in this form, if you go to the list of objects below the window and look for the "Window Title" object, you can edit the text there, as I have, so it says "The CompanyName MFA Login Page." And don't forget to save your changes.

I like to minimize helpdesk calls, so I want people to realize it is a legitimate site. I know, hokey, but something is better than nothing.

The hard part, and I don't suggest you do this unless you really want to do it, is to edit the MFA Setup page.

You see, it is not a page, or a form, or a view. It is a small java file.

You would have to unarc/zip it or whatever you do to java files, edit it, recompile it, and put it back on your server.

And if you do a server update, it will wipe it out.

And you would have to do it all over again. You might be able to copy the file, but if HCL makes any changes, you are screwed, so I have decided not to mess with it.

The .ntf would also get overwritten on an update, so why do it there?

To me, it is easier to replicate and maintain a local copy of the .ntf than to do it for the java part, but again, YMMV.

My personal server page looks like this now:


If you previously had a custom login form and now want to add TOTP, I strongly suggest you copy your custom form into the $$LoginUserFormMFA and sort it out from there. 

There are too many parts to TOTP and the domcfg database that will make it hard to do it in reverse,

I am sure my developer friends may make fun of me, but this was the easier(less time involved) of the 2 ways we tried to do it to bring it up and make it work. Again YMMV.

I did not touch on the use of the notes redirector, but that is how we are using it, and of course, if you need to edit the iNotes Redirector, I wrote a few posts about it many years ago, you can click on that section from the top of my blog or use this link: https://blog.vanessabrooks.com/p/inotes-redirector.html.




Friday, October 21, 2022

To TOTP, or NOT To TOTP, Traveler/Verse users, THAT is THE Question

 

Whether 'tis nobler in the mind (of users) to suffer The slings and arrows of outrageous fortune security guidelines, Or to take arms against a sea of (illogical) troubles, And, by opposing, end their tyranny upon us?

Shakespeare will have to live with my edits.

Enjoy the video because it is THE definitive way to say the quote :-)

Now that Collabpshere has finished, it was a great event once again managed by Richard Moy with a supporting cast of dozens of people, I had a follow-up item from my session.

I will post the slides once I find a new home now that Slideshare has gone paywall.

The question continues to arise about using TOTP for Verse(Traveler) users.

If you attended my session, you heard me discuss the pro (not sure if there is anything beyond my insurance/compliance or security people require it) and the many cons. 

If anyone has more PRO reasons, let me know, but for now, this is the slide I used.


Remember that current phones usually require a code, slide design, finger, face, or eye scan just to let you into your phone.

Then the Verse app has a login and password for itself.

Do you still need an MFA after 2 levels? 

Also, if the whole purpose of the MFA is to secure the mail application, what purpose does it serve by being on your phone, if your phone is lost or stolen? Let's say the robber has the initial code(stop using your birthday or kid's birthday or anniversary). Then having the fa there is totally useless. 

So, why do you want to enforce this?

Right, because your insurance company told you.

Oddly enough, they did not tell you to disable SSO(Single Sign On), which negates any aspect of MFA a computer might have to start with. Nor do they expect you to have an MDM solution, which is really what you need for this purpose. 

Traveler/Verse has some aspects of MDM, like remote wipe, but does not verify your device has the appropriate number of digits in your passcode.

So, again, why do you need to do this?

Have you asked for the technical guidance document from your insurance company?

You should let me know if any of them ever produce one. And if they have one, does it make any sense?

TOTP is URL-based, not Server or Domain-based.

You can let Verse users use the usual traveler.company.com URL without TOTP while maintaining TOTP enabled for webmail.company.com see my slide below.



Yes, you can change the TOTP time-out setting (https://help.hcltechsw.com/traveler/12.0.0/auth_timeout_totp.html), which I did on my personal server, so I only log in with TOTP if my phone has been off for more than 18 hours. This happens every weekend, I shut it off an hour before sunset and turn it back on after sunset on Saturday.

The choice is yours, as the Admin, but you will have more help desk tickets every Monday morning and possibly every time a user flies, and they will think they are locked out.

So, in the immortal words of the Bard of Avon,

 "Out of this nettle - danger - we pluck this flower - safety."

'Henry IV, Part 1' (1597) act 2, sc. 3, l. [11]


Thursday, May 26, 2022

Engage Recap

I can't even begin to tell you all the things we saw and learned, and that was before Engage even started,

Highlights include:

Forgot to add this: Restyle. It will update your old Domino applications appearance and give it a modern look in minutes! Totally cool!

  1. Project Keep is back
  2. R13.0 is a 2024 thing, with 12.02 being out by Q4-22 and 12.03(or maybe 13 if they change their mind) in 2023.
  3. The designer client is getting redone(no idea what that means) for the 2023 time frame,
  4. When I asked about the admin client, it was missing from Barry Rosen's slide. I got some interesting answers, so something is brewing, but no date is planned, so think R13. For that keeping score, Tim Clark is PM for Admin client.
  5. 12.02 I think they said they will have Busytime lookups for O365 invitees, maybe 12.03, either way, this is great and needed by everyone.
  6. More DKIM and SPF, and DMARC parts are coming soon.
  7. Verse 3.0 is out soon(June). Less iNotes more purposeful built things in it. Read the Read me file as Agnes said, Beta for Verse means something is included but not default turned on. So check it out and RTFM.
  8. HCL VOLT MX GO was announced to help customers connect more parts of their world to Domino and vice versa. Jason Gary did a pitch about the name at Engage. If you remember the 90s/00s when we had Domino Go Server and similar things, you get what this is about.
  9. Verse mobile is the Traveler client. Confusing? Yes, is it going to be changed? No.
  10. In my session, half the room was already on R12, and I would think many of the customers that attended were as well.
  11. Sametime 12 is available. It only runs in a container.
  12. HCL is pushing out ALL the 3 tiers of languages on the GA dates, unlike IBM, which made everyone wat 30/60/90 days. 
  13. Certifications and HCL Training are coming back, Luis Guirigay's slides should be reviewed for more details. Engage will be posting the slide decks shortly.
  14. Talk about having a by default ODS update built into the client when you install it.
  15. The ability to swap who is sending the email is getting enhanced further. 
  16. Just a reminder, 12.01 had a names.nsf template update you want to use, especially if you are working on a TOTP plan.
  17. Nomad will not require Safelinx any longer, thanks to the dev team that said "we can do this" and they did!
  18. Chocolate is good, free chocolate is better, but free beer is the best.

I went into the event relatively neutral but left very upbeat and impressed by HCL and what they are saying and showing. While I may disagree with the dev first mentality, I am, after all, a long-time (29 years?!) messaging and an admin person.

If you do not go to these types of events, where everyone from Richard Jefts down to the sales and tech staff is accessible, you are missing out on having yourself heard.

My time with Richard, was really insightful. Then again, so were my discussions with Barry, Andrew, Scott, Michael, Luis, and many more people, even the great Gareth Cook of the iNotes Redirector fame.

Thank you to Theo and Hilde for once again putting on a great event and making everyone feel comfortable and happy to be part of the extended Yellowverse family.

Lastly,  I want to thank Martin Vogel for presenting with me. It was his first time presenting at Engage and his first time presenting in English. He nailed it. I will be posting our tips over the next few weeks because Slideshare no longer works the way it used to, and some of the tips should be searchable and not hidden in a presentation.