Nd90se Public Beta Releasenotes

IBM Notes, Domino, Domino Designer 9.
0 Social Edition
Public Beta Release
Release Notes
Public Beta Edition (December 13, 2012)

This edition applies to IBM Notes and IBM Domino 9.0 Social Edition, and to all subsequent releases and modifications, until otherwise indicated in new editions. Copyright International Business Machines Corporation 1994, 2012. All rights reserved.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Installation
A note about re-naming the current Notes and Domino release
The identity of the current release of Notes and Domino has changed from "8.5.4 Social Edition" to "9.0 Social Edition." The term "9.0 Social Edition" refers to the overall release, and not a particular component or feature. This change will be visible in several areas of the product, such as splash screens, Help/About screens, install panels, and consoles. The add-on install packages for Notes and Domino that were previously called "Social Edition" are now a part of the Notes client installer, and display as a feature named 'OpenSocial component' (Linux installation will still include an RPM file). The Domino add-on install package previously called "Domino Social Edition Embedded Experiences Add-On" is now called 'Domino Social Edition OpenSocial component'. If upgrading, please select 'OpenSocial Component', as it will not be selected by default. The Notes Application Plug-in has been renamed to "Notes Browser Plug-in". While most of these changes have been implemented for the Public Beta, a small number will be completed for the GA release.
Server installation
We recommend that you install the Domino server for this beta release on a non-production system. You can upgrade a server running the latest maintenance release of a shipped version of Domino. If you upgrade, be sure to manually refresh the design of the Domino Directory. For instructions on installing the Domino server, see the following topic in the Domino 8.5 Administrator section of the Domino and Notes Information Center: Domino Server Installation
Server installation on AIX - Requirements for SHA-2 support

If you wish to deploy or make use of support for SHA-2 on AIX 5.3 or AIX 6.1, please obtain and install the AIX C++ Runtime 9.0.0.8. This is the minimum supported AIX runtime for SHA-2 support on those releases of AIX. AIX 7.1 requires no runtime change because it already supports a later version of the runtime. In addition, Notes 9.0 Social Edition supported platforms for AIX include:
Platform
z z
Prerequisites
z z z
AIX 32 AIX 64
AIX 5.3 TL7 Compiler xl C/C++ v9 C++ Runtime 9.0.0.8
9.0 Social Edition Supported Platforms z AIX 5.3 TL7 POWER System (64-bit kernel) z AIX 6.1 POWER System (64-bit kernel, Service Pack 4, APAR IZ10223, APAR IZ09961, APAR IZ10288, APAR IZ08022) z AIX 7.1 POWER System (64-bit kernel)
Comments
z z
AIX 7.1 already has the minimum runtime Currently sw in the 9.0 Social Edition builds
Release Notes
Server installation on IBM i

Refer to the following Domino 8.5 technotes for information about Domino 8.5.x and preparing to install on IBM i. Follow the instructions Install Domino 8.5 from a Web kit in the Domino 8.5 for i: Installation and upgrade technote; install this beta release using RSTLICPGM commands or the ISMP GUI installer setup.exe. If using RSTLICPGM commands, install the Domino 9.0 Social Edition server (QNOTESRL SAVF) as OPTION 14 of the 5733L85 product. Soft-copy electronic licensing of the server option will present a license display; press F14 to accept the license. To configure a new 9.0 Social Edition server using CL commands, library-qualify the CFGDOMSVR as follows: >> QDOMINO854/CFGDOMSVR SERVER(<server-name>) ...
z
Domino 8.5 for i: Getting started (Technote 7013148) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013148
Domino 8.5 for i: Installation and upgrade (Technote 7013151) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013151
Domino 8.5.x for i: Program Conversion (Technote 7013152) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013152
To install the OpenSocial component on IBM i : 1. On the IBM i system, stop any active Domino server and make sure Domino 9.0 Social Edition is already installed. 2. Download the webkit to a workstation and extract the contents. InstallShield Wizard will run automatically after the extraction. 3. Follow the instructions on the Installer panels to accept the license, specify the IBM i system where the OpenSocial component will be installed with user profile and password, and specify the default location where the files are extracted. Click Next to start installing. 4. After the InstallShield Wizard completes successfully, log on to the IBM i system to check the status of the OpenSocial component. 5. Use the DSPPTF command; you should see the following result: DSPPTF LICPGM(5733LD9) Opt PTF ID SE19001 Status Temporarily applied IPL Action None
Release Notes
To uninstall the OpenSocial component on IBM i : 1. On the IBM i system, stop any active Domino server. 2. Log on to the IBM i system. 3. Use the RMVPTF command to uninstall the OpenSocial component; you should see the following result: RMVPTF LICPGM(5733LD9) RMV(*PERM) Object QPZ119001 in QDOMINO900 type *FILE moved to library QRPLOBJ. Object QPZ119001 in QRPLOBJ type *FILE renamed QSE1900101. Object QPZ219001 in QDOMINO900 type *FILE moved to library QRPLOBJ. Object QPZ219001 in QRPLOBJ type *FILE renamed QSE1900102. Object QPZR19001 in QDOMINO900 type *PGM moved to library QRPLOBJ. Object QPZR19001 in QRPLOBJ type *PGM renamed QSE1900103. PTF 5733LD9-SE19001 V9R0M0 permanently removed from library QDOMINO900.
Server installation on Unix for the OpenSocial component

During installation 1. Ensure that all scripts in the tools directory have execute permission. 2. Execute the following to ensure that all files are runnable: chmod -R +x 3. Define a NUI_NOTESDIR variable to point to your existing Domino directory containing the notes/latest folder. For example, if the directory is /opt/ibm/domino, use the following: export NUI_NOTESDIR=/opt/ibm/domino To uninstall 1. Navigate to the directory with the install files. 2. Locate the following script (located same place as install script: in the <platform> folder of your Domino Social Edition 9.0 kit after untar):
3. Execute the script using the following command: ./uninstall
Release Notes
To uninstall in silent mode 1. Edit the uninstall script and replace -console with -silent. For example, replace: cmd="$NUI_NOTESDIR/notes/latest/$DEV_ARCH/jvm/bin/java -DSE=1 -cp $NUI_NOTESDIR/notes/latest/$DEV_ARCH/_uninstSE/uninstall.jar run -console" with cmd="$NUI_NOTESDIR/notes/latest/$DEV_ARCH/jvm/bin/java -DSE=1 -cp $NUI_NOTESDIR/notes/latest/$DEV_ARCH/_uninstSE/uninstall.jar run -silent" Completing OpenSocial component installation 1. Download and install the Domino 9.0 Social Edition build. 2. Shut down the Domino server. 3. Run the server installer and follow its instructions to install the OpenSocial component. 4. Start the Domino server
Client installation
IMPORTANT - Installation notes Windows 7 - Must run as Administrator to complete multi -user install Multi-user installation is not supported on Windows 7 when installing from a non-administrator account; you must be logged in as an administrator to install Notes 9.0 Social Edition Public Beta. Linux - Ubuntu 12.04 64-bit is not supported Installing the Notes client on Ubuntu 12.04, 64-bit platform is not supported for this beta release; installation will fail if attempted. Linux - Upgrade is not supported from 8.5.x releases If you have previously installed a Notes 8.5.x release, it must be uninstalled prior to the installation of the current Notes 9.0 Social Edition Public Beta. You may uninstall previous versions and install the new version manually, or you may run the shell script smartupgrade.sh, shipped in the Notes 9.0 Social Edition install kit:
z z z
smartupgrade.sh can uninstall 8.5.x and fixpacks, and then install 9.0 with all components smartupgrade.sh can perform a clean installation; 9.0 will be installed with all features smartupgrade.sh can uninstall/reinstall 9.0 with Open Social and Feedreader set by default
If Notes 8.5.x is not uninstalled and is launched after Notes 9.0 Social Edition Public Beta is installed, the data folder may be damaged and would cause various failures in both Notes 8.5.x and the Notes 9.0 Social Edition Public Beta. IBM Symphony - Separate download now required IBM Symphony has been removed from the Notes 9.0 Social Edition client. If you want to continue using Symphony, you can download it from the Symphony home page at: http://www-03.ibm.com/software/lotus/symphony/home.nsf/home
Release Notes
Support
Support from Development is available through the Web-based feedback forum. It is strongly recommended on deployments ONLY in test, and not in production environments. To use the forum, you must be a registered user for the Lotus Developer Domain (LDD). Click here to create an account. Only the primary and backup participants at each company are registered for forum access
About the documentation

The 9.0 version of the Domino Administrator Help is installed with the beta release build. Information about 9.0 Social Edition may vary between that Help information and this document for this beta release.
Patches
All patches, if any, are posted on the download site. See the main beta release announcement for instructions on installing them.
Release Notes
Domino Server
Purpose of the beta release
The server team is looking for feedback on specific aspects of the IBM Domino product for this beta release of Domino 9.0 Social Edition. As a result, areas of the product may not have undergone the extensive testing that normally takes place with releasing a milestone. We do not recommend that you use the early builds for anything other than testing the focus areas for a given drop, as these focus areas have undergone more extensive testing. If you find any problems with any of the focus areas, please report those issues in the forum. Information about the forum is provided below..
Support
Support from Development is available through the Web-based feedback forum. It is strongly recommended on deployments ONLY in test, and not in production environments. To use the forum, you must be a registered user for the Lotus Developer Domain (LDD). Click here to create an account. Only the primary and backup participants at each company are registered for forum access

The 9.0 version of the Domino Administrator Help is installed with the beta release build. Information about 9.0 Social Edition may vary between that Help information and this document for this beta release.
Patches
All patches, if any, are posted on the download site. See the main beta release announcement for instructions on installing them.
Known Issues
HTTP not starting on AIX 64, shows JVM exception in thread "main" HTTP fails to start on AIX 64, with a JVM error in the console log, as shown below: [24183018:00002-00001] 21/07/2012 11:35:44 Schedule Manager: Informational: Detailed schedule information collection is not enabled via the domain-wide Server Configuration document. [24183018:00002-00001] 21/07/2012 11:35:44 SchedMgr: Validating schedule database [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: Exception in thread "main" [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: java/lang/Error: bootstrap error, system property access before init [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: at java/lang/System.getProperties (System.java:339)
Release Notes
Workaround: Set the local parameter. On AIX, - local shows the current local parameter. Next, type
in: export LC_ALL=C export LANG=C Confirm the local parameter is set by typing in - local again. Install the North American Domino server kit as root. Finally, when you switch to the Notes user, ensure that export LC_ALL=C and export LANG=C are set. Then start Domino as usual. (SPR # PLOS8WEEJF) PANIC: LookupHandle: handle not allocated issue Several crashes have been observed when closing documents associated with a database that is being closed in the IMAP process. No cause has been determined, and there is currently no work around. (SPR # BFUY8XNL8M) OAuth and OAuth2 service elements defined in a OpenSocial gadget used in Domino cannot work in this beta release without a name attribute If the name is missing, the Widget Approval process will not prompt for the OAuth data.
Workaround: Specify the name for any gadget you use. For more details, see the relevant sections in the
OpenSocial specifications for OAuth and OAuth2:
z z
http://opensocial-resources.googlecode.com/svn/spec/2.5/Core-Gadget.xml# rfc.section.4.1.1.6.1 http://opensocial-resources.googlecode.com/svn/spec/2.5/Core-Gadget.xml# rfc.section.4.1.1.7.1
On a Domino server upgraded to Domino 9.0 Social Edition, 8.5.3 mail users may see an undefined string in the interface The problem occurs when there is both a Forms85.nsf and a Forms9.nsf file on the mail server.
Workaround: It is recommended that you either delete Forms85.nsf from the server, or set the following two NOTES.INI parameters to specify the forms file you wish to use, for example:
iNotes_WA_FormsFiles=iNotes/Forms9.nsf iNotes_WA_DefaultFormsFiles=iNotes/Forms9.nsf Forms85.nsf provides users with the current 8.5.3 experience; Forms9.nsf gives them the new iNotes 9.0 experience. This issue will be corrected in a future release. (SPR #JDOE8ZLMTR)
Release Notes
On Windows 2008 64-bit, an error message may appear after upgrading to IBM Domino 9.0 Social Edition from Domino 8.5.3 Despite the error message, Domino 9.0 Social Edition does install and start correctly after you click Finish and run setup. You may see the following error message: Errors occurred during the installation. An error occurred and product installation failed. Look at the log file C:\<Domino Program directory>\DominoInstall.log for details.
Workaround: Ignore the message.

(SPR #SZZZ92JC2M) On Windows 8 64-bit, SmartUpgrade fails when the location for the kit is a shared network drive The following error message appears: Upgrade did not complete successfully. Notes administrator Please try again or check with your
Workaround: In this beta release on this platform, do not upgrade from a shared network drive.
(SPR #SZZZ92R8JF) If you disable the transaction log and restart the Domino server , the server hangs
Workaround
1. Edit the server NOTES.INI file and set the following parameters: previous_translog_status =0 translog_status=0 2. Force the server to shut down, and then restart. (SPR # SMQU927C5M) On Linux 64, full-text search option does not work as expected In this beta release on this platform, the option for creating a full-text index Using conversion filters on supported files (searching is often more accurate ) does not work because no conversion filters are yet installed. The content of most attachments is not yet searchable in full-text search, domain search, or site search.
Workaround: None.
(SPR # WBJZ8ZC5LW)
Release Notes
SAML authentication fails for iNotes users who do not have a Notes ID in the ID vault In this beta release, after SAML is configured, only iNotes users who already have a Notes ID in the ID vault can use SAML. You cannot import IDs for them after SAML configuration; authentication will fail.
Workaround: Make sure iNotes users have Notes IDs in the ID vault before configuring SAML for iNotes.
(SPR #MFAY922JRL) On IBM i, a new option to delete Domino shared memory does not work A new option to delete shared memory manually for an authorized IBM i user will work in a future release, but does not work in this beta release. The option 18=Delete Domino Shared Memory is displayed in the Work with Domino Servers panel, but causes an error.
Workaround: Do not use this option in this beta release.

(SPR # JZLI8YGCKR) IBM Notes/Domino Connector for DB 2 does not work with DB 2 10.1 Client In this beta release, attempting to use this connector in combination with DECS or LSXLC displays an error message and fails.
Workaround: Use the DB2 9.7 or 9.5 client.

(SPR #SLAI8ZM8KY) On Windows 64-bit, NSD cannot annotate call stacks In this beta release on these platforms, NSD cannot annotate call stacks of running Domino server processes. The problem is indicated by "failed to map segment" errors in the NSD. The problem does not effect Notes client installations.
Workaround: This problem is most critical for crash situations where the crashing call stack is needed to
identify the problem. In this case, NSD does generate a core file that can be collected and annotated. Searching for "Generating core dump" in an NSD yields an entry in the NSD where the path to the core file is recorded. Collect this file for problem determination. For example:
INFO (0): Generating core dump for [nchronos: 0898] (coreflags=0, exp=1c8ba70, dbgver=6.8.0004.0) INFO (0): Generated core dump file C:\Lotus\Domino\data\IBM_TECHNICAL_SUPPORT\core_nchronos_W32I_SERVER_2012_09_1 4@06_26_53.dmp (SPR #KBRN8NMS2Y)
Release Notes
On IBM i, a console message does not display if Java console is running If the Domino server is connected with jconsole.exe, a console message does not display. Note Sending a Domino command via Java console to the server does work.
Workaround: Use either Work with Domino Console in Green Screen or the server console in the Domino Administrator client.
(SPR # YZZZ92RFGR) Problem Administrator client context -sensitive help functionality is not complete In this beta release, not all areas of the Administrator client respond to the Help > Context Help command.
Workaround: Select Help > Help Topics and search the help for the area of interest.
(SPR #KLKL92CG7T)
10
Release Notes
Focus features
Security Assertion Markup Language (SAML)
Using Security Assertion Markup Language (SAML) to configure federated -identity authentication Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. Notes/Domino federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
About this task
SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and Web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows authentication (SPNEGO/Kerberos) for users within an intranet. For Notes client users on Citrix, SAML authentication can facilitate a single-sign on solution, usually with the IdP configured for Integrated Windows authentication (IWA). SAML authentication at Notes client startup is referred to as federated login. Note: For Web users, SAML-based single sign-on is an alternative to another method of single sign-on (SSO) already available in Domino: multi-session server authentication. SAML is most useful when your Domino environment includes third-party Web applications whose services your users access, or if multi-session server authentication is too limiting for your organization -- for example if the target environment requires SSO across DNS domains. For more information, see the topic later in this document on Configuring SAML from the Internet Site document. You can set up federated-identity authentication for users of the Domino Web server, for Notes client users who authenticate through federated login, or for both. In this release of Domino, the administrator can set up the Domino server to use SAML authentication by making it a partner with an on-premises federated-identity server such as IBM Tivoli Federated Identity Manager (TFIM) coupled with a IBM Tivoli Access Manager (TAM) authentication server. The TAM/TFIM server becomes the identity provider (IdP), and the Domino server is registered with it as a provider of the SAML authentication service. For learning purposes, this beta release comes with cookbook instructions to create a highly simplified environment in which TFIM is deployed without TAM. In the highly simplified environment, users are identified by their common name (for example, "John Doe") to Domino, rather than by a unique identifier such as email address (for example, "jdoe@renovations.com"). The highly simplified scenario is for demonstration purposes only -- a full deployment would include a component such as TAM that ensures each user is identified by an email address, and Domino might have name mapping solutions in place to map the email address to a Domino name found on Domino ACLs. Domino supports both SAML 1.1 and SAML 2.0. The SAML version you use depends on your choice of identity provider. In this beta release, "cookbook" instructions are included for ADFS, which requires SAML 2.0, and for TFIM with SAML 1.1 or TFIM with SAML 2.0:
z z z z
Cookbook: Setting up new Relying Party Trust for AD FS 2.0 Cookbook: Setting up a new federation on TFIM 1.1 Cookbook: Setting up a new Federation on TFIM 2.0 Cookbook: Setting up a new partner on TFIM
11
Release Notes
SAML 2.0 is recommended unless your organization has a specific reason to use SAML 1.1. SAML 1.1 may be required to support single sign-on with specific applications. Depending on the level of SAML required for participating applications , the following identity providers that support SAML could serve as the federation for which Domino is the partner:
Table: SAML Versions supported by identity providers

Identity Provider (IdP) IBM Tivoli Access Manager/Tivoli Federated Identity Manager (TAM/TFIM) Microsoft Active Directory Federation Services (ADFS) SAML Version SAML 1.1 or SAML 2.0 SAML 2.0
Important SAML authentication includes timestamps. Ensure that the SAML IdP computer and the Domino SAML service provider computer have their clocks synchronized so that these computers share the same notion of current time. If clocks are too far out of sync, a SAML assertion may be rejected because the assertion appears to have an invalid time. This is particularly problematic if the IdP machine time is ahead of the Domino server time, so that Domino rejects an assertion which appears to specify a future time.
Compatibility
The following table lists client configurations with which SAML is not compatible or only partially compatible.
Table: Client configurations incompatible with SAML

If your organization uses ... Smartcard protected ID SAML is not recommended because ... Federated login user IDs cannot be Smartcard protected IDs, because the ID vault required for Notes federated login cannot be used with a Smartcard protected ID. Federated login users cannot be Notes roaming users whose IDs are stored in a roaming personal address book, because the ID vault required for Notes federated login cannot be used with Notes IDs stored in a roaming personal address book. Federated login cannot be used with Notes on a USB device, because the ID vault required for Notes federated login cannot be used with Notes on a USB device.
Notes roaming user whose ID file is stored on server
Notes on a USB device
12
Release Notes
If your organization uses ... Notes user IDs with multiple passwords
SAML is not recommended because ... Federated login user IDs cannot be Notes user IDs with multiple passwords, because the ID vault required for Notes federated login and cannot be used with IDs that have multiple passwords. Disable this feature on server platforms when configuring all Notes users for Notes federated login. Password checking can be enforced for non-federated login users, but cannot be enforced for federated login users.
Server-based password checking for Notes users
Specifics for SAML in this beta release

To test federated-identity authentication, you must update the design of the following databases to the templates provided with the beta release:
z z z
Domino Directory - names.nsf (pubnames.ntf) ID Vault - idvault.nsf IdP Catalog - idpcat.nsf (if you previously deployed it)
Deployments in test scenario for IBM Tivoli Federated Identity Manager:

z z z z
Operating system: Windows Enterprise Server SP2 Stand-alone WebSphere Application Server profile WebSphere 7.0.0.11 TFIM 6.2.1 with FP 1
Deployments in test scenario for Microsoft Active Directory Federation Services:

z z
Operating system: clean installation of Windows 2008 EE 32 bit ADFS 2.0 Version 6.1.0.0
Assumptions for federated login in this beta release

In this beta release, to test the federated login feature on Notes client users in your organization (as opposed to SAML-based authentication on the Domino Web server alone), your organization must conform to certain assumptions:
z z z
Your Notes client users are in a Domino directory; you do not use directory assistance. Your Notes client users' IDs are stored in the ID vault. It is recommended that you test this feature on a clean client installation.
Important Testing federated login in this beta release requires following the instructions in the following document: Cookbook: Setting up Notes federated login
13
Release Notes
This topic uses IBM Tivoli Federated Identity Manager (TFIM) as the example of an identity provider (IdP) to Domino for your organization. Before you begin An IBM WebSphere server is the required platform for TFIM. Procedure Perform the following tasks: 1. Setting up a Tivoli Federated Identity Manager (TFIM) federation 2. Setting up a Domino server as a TFIM partner
Setting up a TFIM server as the identity provider (IdP)
Setting up a Tivoli Federated Identity Manager (TFIM) federation

You can configure Tivoli Federated Identity Manager for either SAML 1.1 or SAML 2.0. About this task For the details necessary to set up TFIM as a federation for use with Domino, see the "cookbook" for SAML 1.1, or see the cookbook for SAML 2.0, available from the Public Beta download site You can also find general instructions for setting up TFIM in these related reference topics in the Tivoli Information Center. Related reference Gathering your federation configuration information Creating your role in the federation
Registering the TFIM identity provider server with Domino as the SAML service provider
Registering Domino consists of an export step on the TFIM server and an import step on the Domino server. Procedure 1. Export the TFIM identity provider (IdP) federation information from the TFIM server. The federation information is contained in a file called metadata.xml. 2. Transfer the file to a drive accessible to the Domino server, and from there, transfer the file to the Domino server. 3. On the Domino server configure the IdP Catalog as described below in Enabling the Domino server to provide SAML authentication.
14
Release Notes
Using Domino as a SAML -based security provider with SSL

We recommend, for security reasons, that if you are configuring federated-identity authentication on a Domino Web server, you secure the server with SSL (https protocol). In addition, SSL configuration is required if your IdP uses ADFS. SSL is not required, however, if the Domino server is not configured as a Web server -- for example, it is a Domino server used to host the ID vault that supports federated login for the Notes client. About this task You can customize the protocol used for the TFIM assertion post URL so that it is https by ensuring that the Assertion Consumer Service URL contains https. Shown below is an example of how to customize the URL in a TFIM partnership. Note If you specify https in the Assertion Consumer Service URL, you will see a connection error if SSL is not configured at the Domino Web server. Note For this beta release, if the partnership is set up using a metadata file from Domino, then you must specify https in the SAMLUrl notes.ini setting, before you create the metadata file at Domino. See above, Setting up a Domino server as a TFIM partner.
15
Release Notes
Your provider ID is in the TFIM configuration in the following field:
At the SAML IdP, the provider id is used to find the matching IdP partner, as specified in the Provider ID field in the TFIM Partners SAML Message Settings configuration. The Domino IdP Configuration document in the IdP Catalog similarly specifies the Service Provider ID argument (SP_PROVIDER_ID) used in building the redirect URL to the IdP. For example, if SSL is not being configured for Domino, the redirect URL to the IdP looks like this: https://your_WebSphere_server_name :9443/sps/saml11idp/saml11/login?SP_PROVIDER_ID=http://your_Domino_server_name &TARGET=http://your_Domino_server_name /names.nsf The Provider ID can be set at the IdP and at Domino (in the IdP Configuration document) to specify https, although the primary purpose of the SP_Provider_ID is to have the IdP setting match the setting at Domino in the IdP Configuration document. When configuring SSL at the Domino Web server, if you are monitoring the redirect URL to the IdP, you
16
Release Notes
should see the TARGET containing https. https://your_WebSphere_server_name :9443/sps/saml11idp/saml11/login?SP_PROVIDER_ID= https://your_Domino_server_name&TARGET=https://your_Domino_server_name /names.nsf Note The Domino Web server name must be the fully qualified host name. For more information on the SP_PROVIDER_ID argument, see the related topic on the Internet transfer URL (SAML 1.x initial URL): Related reference SAML 1.x initial URL Configuring a port for SSL
Setting up Microsoft Active Directory Federation Service (ADFS) as the federation for a Domino partner
In the beta release, you can configure Microsoft ADFS for SAML 2.0. ADFS requires that the Domino server you use as a relying trust (ADFS equivalent of a partner) is protected by SSL. About this task For the details necessary to set up ADFS as a federation for use with Domino, see the appropriate "cookbook", available frpm the beta download site.
Creating a Domino metadata file if the server .id file is password-protected

If the Domino server.id file has a password, the administrator must create the SAML metadata file manually; the Create Certificate button in the IdP Catalog cannot be used. 1. Edit the Domino server NOTES.INI file and enter the following required settings: SAMLAuthVersion=value The value is 1 for SAML 1.1, 2 for SAML 2.0. SAMLUrl=https://your_SAML_service_provider_hostname For example, domino1.us.renovations.com Note If your Domino server will not be enabled for SSL (required with an ADFS IdP, but not with a TFIM IdP), then this URL must start with http, for example, http://domino1.us.renovations.com SAMLCompanyName=your_organization_name Use any string convenient to your administrators. SAMLSloUrl=https://iti-ws2.renovations.com/sps/samlTAM20/saml20 If your federation is Tivoli Federated Identity Manager, this setting specifies the log-out URL. 2. Restart the Domino server to allow the settings to take effect.
17
Release Notes
3. At the Domino server console on the Domino server, enter the following command to create the certificate: certmgmt create saml [overwrite] Note If the server ID file already has an Internet certificate that could be used, this step is optional. 4. Take note of the public hash key displayed on the console after you issue the create command. The message displayed looks like this but with a key specific to your system. . The key is the string between the double quotes. Certificate created, public key hash="v6i9TOz7zP9GBCXxtrz+KA==" 5. Edit the Domino server NOTES.INI file again and enter the following required setting, using the hash key you noted: SAMLPublicKeyHash=your_hash_key 6. Restart the Domino server to allow the hash key setting to take effect. 7. Enter the following command to generate a metadata .XML file (for example, tfim-meta.xml for TFIM) to import into your federation: certmgmt export saml xml filename.xml Important If you have chosen not to perform the certmgmt create step above, then you cannot use the certmgmt export command to create the metadata file. Instead of using a metadata file, you must manually enter information at the IdP to create the partnership in a later step. 8. Enter the following command to generate and export from Domino a certificate file (for example, renovationsSAMLCert.p12 for TFIM) to import into your federation. certmgmt export saml pkcs12 filename.p12 9. Copy the exported certificate file from Domino to a location accessible to the IdP, and import the file into the IdP configuration. For more information, see the cookbooks for the TFIM or ADFS IdP (linked above).
18
Release Notes
Enabling the Domino Web server to provide SAML authentication

This procedure ensures that a Domino Web server can participate in SAML-based single sign-on (SSO). The Security Assertion Markup Language (SAML) standard allows a Domino server to trust an authentication assertion from a specified identity provider (IdP). Before you begin The identity provider (IdP) you intend to use with the Domino Web server must be configured before you enable SAML on the Domino Web server. See Setting up a TFIM server as the identity provider (IdP) or
Setting up Microsoft Active Directory Federation Service (ADFS) as the federation for a Domino partner.
Obtain a copy of the metadata.xml file that was exported from the IdP, and have its contents ready for import when you create the IdP Configuration document. You can store it in any location accessible to your Domino Administrator client. If the IdP Catalog (idpcat.nsf) application already exists, you must have access to create documents in it. Tip: Because SAML configuration requires cooperating configuration for Domino and for the identity provider (IdP), Domino Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before enabling SAML, consider setting up the Domino HTTP server for single-server session authentication. This task includes configuring Domino to log in as a Web user (for example, the Domino administrator that has been configured in the Domino Directory during the Domino server setup). After you as this administrator are able to log in as the Domino user, successfully browsing to URLs on the Domino server, the server is ready for SAML enablement. For most SAML 2.0 configurations, the Domino HTTP (SAML service provider) server's ID file must contain an Internet certificate. If the server already has such a certificate (for example, one used for SSL), in a future release you will be able to use the same certificate for the SAML partnership. In this beta release, you must use either the IdP catalog database Create Certificate button, or the server console certmgmt command (see instructions for each below). In a future release, you will be able to use any existing method, such as the Domino certificate authority (CA), to create a certificate for use with SAML. Tip: If you do not use either the IdP catalog database Create Certificate button or the server console certmgmt command to create a new Internet certificate for SAML, then you cannot create a Domino metadata file in this beta release; you must set up the IdP partnership manually. In future release you will be able to use an existing server Internet certificate (such as the server's SSL certificate) to work with the ADFS IdP, which does not require a Domino metadata file. If you use the server's SSL certificate, you would export the certificate and private key from the SSL keyring file into a file in PKCS12 format. Then you would use the User Security dialog box in the Notes client to import the certificate and private key from the PKCS12 file into the server's ID file. About this task Enabling SAML requires two tasks: specifying SAML authentication in the Domino Directory, and creating a document to contain SAML configuration settings. Depending on whether your organization uses Internet Sites, you specify the authentication in either the Server document or in one or more Internet Site documents. The SAML configuration settings are then specified in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application. Together, these documents determine whether Domino, as the SAML service provider, trusts SAML assertions from a specified identity provider (IdP). The IdP's public key, stored in an IdP Configuration document in the IdP Catalog application, is used for cryptographic verification of a SAML assertion issued by the IdP.
19
Release Notes
The IdP Configuration document includes several fields whose values are supplied automatically when you import the metadata.xml file from the IdP. It is recommended that you use SSL security for your SAML configuration; if your federation is Microsoft Active Directory (ADFS), SSL is required. See Using Domino as a SAML-based security provider with SSL. Note When your organization uses SAML for session authentication, disable the field Enforce Internet Password Lockout on the Security tab of the server Configuration document. In addition, disable any Web password management settings - such as synchronizing the Notes client password with the Internet password - that have been enabled in security policies applied to SAML users.
Internet passwords
For more information on Internet password lockout, see the following Information center topic: Securing
Important If the Domino server has a server.id file protected by a password, the administrator cannot use the Create Certificate button described below to create a metadata file. Instead, see Creating the Domino metadata file if the server.id file is password-protected. Note Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them. Important If you later modify an existing SAML IdP Configuration document or add a new one, restart the HTTP process on the Domino Web server so that the changes are recognized. Procedure 1. From the Domino Administrator, create the IdP Catalog application (idpcat.nsf), using the template with the file name idpcat.ntf, or open the application if it already exists. Caution: If your server is running on UNIX, make sure the file name is all lower-case. 2. Assign access in the ACL only to any Domino SAML administrator(s) and to the server. Note: If the idpcat.nsf is replicated across other participating SAML servers, their entries will be added to the ACL. 3. Click Add IdP Config to create a new configuration document . Note: If you have multiple Internet Site documents in your organization, and you want SAML authentication used at these multiple Web sites, create separate associated IdP Configuration documents for each participating Internet Site. For details, see Configuring SAML from the Internet Site document.
20
Release Notes
4. On the Basics tab, in the Host names or addresses mapped to this site field, enter either an IP address or Web address (DNS host name, or Internet site name) representing a service provider's Web site, or both. If you enter both, separate the IP from the Web address using a semicolon, for example, 9.32.256.2; www.renovations.com. (www.renovations.com.) The order of addresses does not matter, and you can enter multiple items, separated by semicolons. Important: The IP or Web address you enter here should match what is entered in either the Host name(s) field on the Internet Protocols /HTTP tab in the Server document, or the Host names or addresses mapped to this site field of the corresponding Internet Site document. In this way you can specify all host name/IP combinations that should share the common identity provider partnership. Restriction: If your organization is using SSL as recommended, you must include an IP address. 5. In the IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience. For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM Tivoli Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM). 6. In the Protocol version field, select a SAML version. Important SAML 2.0 is required if your federation is configured on Microsoft ADFS. 7. Leave State for this Configuration document as Enabled (the default). 8. In the Federation product field, select either TFIM for IBM Tivoli Federated Identity Manager or ADFS for Microsoft Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication. The default is ADFS. 9. In the Service provider ID field, enter the string that identifies Domino as a service provider partner with the IdP. This string is usually the same as the HTTPS URL for the Domino HTTP server, for example, https://domino1.us.renovations.com. Note If SSL is not configured at Domino and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com. If you use ADFS for the IdP, SSL is required, so you would use https in the string. Important An entry is required in this field to use the Create Certificate button on the Certificate Management tab. 10. Click Import XML file, and specify the metadata.xml file exported from the IdP. It is recommended that you leave intact the information supplied from the imported XML file. For more information, see Table: Fields in the IdP Configuration document whose value is generated from the metadata.xml file at the end of this procedure. 11. On the Client Settings tab, leave Enable Windows single sign -on set to Yes if this IdP document corresponds to an IdP that uses Windows single sign-on (SPNEGO/Kerberos) user authentication. This field is required by Notes client federated login so that Domino knows how to set up the Notes client embedded browser.
21
Release Notes
12. Still on the Client Settings tab, in the Sites that are trusted field, list trusted identity provider (IdP) web host names that differ from the host name configured in the Basics tab. Separate entries with a semicolon or a return character. 13. Still on the Client Settings tab, leave the Enforce SSL field set to Yes if the Notes client embedded browser requires that any URL accessed at the IdP during the login sequence be protected with SSL. 14. If you are using SAML 2.0 and need to export a metadata file from Domino to use at the IdP, on the Certificate Management tab, enter a Company name to identify the certificate in the Domino metadata file (idp.xml) to be exported. Use any string convenient to your administrators. You might use the name to indicate the Domino server, for example Domino US Renovations, or a virtual name if representing one particular Internet site configuration on the Domino server, for example, Domino East Coast US Renovations. Tip The name does not have to match anything in the actual IdP configuration. However, the string does have to be compatible with the syntax of the idp.xml file; that is, it cannot include characters such as angle brackets (< or >). 15. Still on the Certificate Management tab, click Create Certificate (if prompted, save the document, return to the tab, and click the button a second time). When creating the certificate, Domino prepends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported. 16. Still on the Certificate Management tab, in the Domino URL field, enter a string to identify the fully qualified DNS name in a URL of the Domino server; for example, enter: https://your_SAML_service_provider_hostname The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino. Note If SSL is not configured at Domino and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com. Tip You can use the string you entered in the Service Provider ID field on the Basics tab. 17. Still on the Certificate Management tab, in the Single logout URL field, enter a URL if the IdP requires one, for example if your federation is Tivoli Federated Identity Manager (TFIM 2.0). The TFIM IdP with SAML 2.0 configuration requires a single logout URL to be specified at the IdP and in the Domino metadata file, even though Domino does not currently implement a SAML 2.0 single logout feature. An example of a logout URL is: https://your_tfim_server.com/sps/samlTAM20/saml20 Note: In this beta release the field may be labeled "SLO url." 18. At the top of the form, click the Export URL button to save the created idp.xml file as an attachment to the document. 19. Save and close the IdP Configuration document.
22
Release Notes
Table: Fields in the IdP Configuration document whose value is generated from the metadata.xml file
Field Artifact resolution service URL Restriction: For the beta release, this field is as yet unused and may be empty. Single sign-on service URL Description Domino generates the artifact URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/ soap. If the data is available in the imported XML file, Domino generates the login URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/ logininitial. Note The value in this field is a subset of the expected URL to the IdP. The Domino server generates the full URL when necessary. Signing X.509 certificate Encryption X.509 certificate Domino imports the certificate from file. Domino imports the certificate from file. Note: This field appears only when the Type field is set to SAML 2.0. Domino generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SAML:2.0:protocol.
Protocol support enumeration
What to do next Follow the steps in Configuring SAML from the Internet Site document below, to enable SAML in the Internet Site document, and specify the preferred session cookie. Note If you later change the authentication type in the Internet Site document to remove SAML, your change has no effect to disable SAML unless this IdP Configuration document is either disabled or deleted.
23
Release Notes
Configuring SAML from the Internet Site (Web Site) document

Use this procedure when configuring SAML authentication in one or more Internet Site (Web Site) documents. About this task If your organization has Internet Sites, use this procedure to enable SAML. Note The SAML option for Session authentication, and the corresponding fields in this procedure, also exist in the server Configuration document; but you should follow these steps there only if your organization does not use Internet Sites. Procedure 1. From the Domino Administrator, select Configuration -> Web -> Internet Sites. 2. Open the Internet Site document for which you want to enable SAML-based single sign-on authentication. 3. Click the Domino Web Engine tab. 4. In the Session authentication field, select SAML. The IdP Catalog button appears. 5. (Optional) For Web SSO Configuration , select the existing configuration document you want to use. If the value for this field is specified, the SAML service provider uses the LTPA configuration specified in the SSO configuration document as the session cookie. If the value for this field is not specified, the SAML service provider uses a single server session cookie, and the user's SSO experience across multiple servers depends upon each server's being enabled as a SAML service provider and partnered with the same IdP. For more information, see the Information center topic Creating a Web SSO configuration document. 6. Leave the default of No specified for Force login on SSL. 7. The SAML single server session expiration field specifies the number of minutes the SAML session will be valid on the participating server. Leave the default of 120 minutes specified unless your organization's security requires a shorter or longer time than 2 hours for client users to have access using SAML. When the session expires, the SAML user must re-authenticate with the SAML IdP. 8. Leave Yes specified for When overriding session authentication , generate session cookie . 9. Click IdP Catalog to create a new configuration document in the idpcat.nsf and open a window to it. If a document already exists, it opens. Complete the document as described in Enabling the Domino server to provide SAML authentication, and save and close it.
24
Release Notes
Setting up a Domino server as a TFIM partner

You can configure Tivoli Federated Identity Manager for either SAML 1.1 or SAML 2.0. About this task For the details necessary to make the Domino server a partner with TFIM, see the appropriate "cookbook", available at the beta download site. You can also find general instructions for setting up a TFIM partner in the related reference topic. Related reference Adding your partner Procedure 1. While creating the TFIM federation on the IdP, use the exported Domino metadata file. See Setting up a Tivoli Federated Identity Manager (TFIM) federation. Note You can set up a TFIM federation on the IdP manually if deploying a SAML 1.1 federation; however a SAML 2.0 federation at TFIM requires a Domino metadata file. 2. Set up the partnership with the following values:
z z
Specify HTTP Post for the partner. The service provider ID should be the same as the Web URL for the Domino HTTPS server, for example, https://domino1.us.renovations.com . Note If SSL is not configured at Domino, this setting would include http instead of https, for example: http://domino1.us.renovations.com.
The assertion consumer URL uses your server Web URL, the Domino Directory file name, and a required command (?SAMLLogin), for example, https:// domino1.us.renovations.com /names.nsf?SAMLLogin
Restarting the Domino Web (HTTP) server

After both the IdP Configuration document and the Domino server partnership are in place, restart the Domino HTTP server so that SAML authentication can take effect.
z
At the server console, start the HTTP process by typing: load HTTP If the HTTP process is already running, type: tell HTTP restart
25
Release Notes
Encrypting SAML assertions

In this beta release and later, you can encrypt SAML assertions. Your organization may require SAML assertions to be encrypted if assertions include attributes that contain sensitive personal data, for example, social security numbers. Domino encrypts entire SAML assertions; partial encryption of specific attributes is not available. For instructions on encrypting assertions at either the TFIM or ADFS IdP, see:
Cookbook: Encrypting SAML assertions Supporting federated login on the Notes client
Federated-identity authentication using the Security Assertion Markup Language (SAML) standard relieves Notes client users of the need to enter a Notes password. Important Testing federated login in this beta release requires following complete instructions in the appropriate "cookbook", available from the beta download site. Tip The Domino ID vault server participating in federated login typically does not have the Domino Web server configured, but your organization may use such a combination if necessary. If the Domino ID vault server is configured as a Domino Web server, you may be able to use a single SAML partnership for both the Web server and the ID vault server. When the vault server is also a Web server, follow the procedure above in Enabling the Domino Web server to provide SAML authentication, instead of the cookbook procedure, to configure the ID vault server.
Supporting federated login on the iNotes client

Federated-identity authentication using the Security Assertion Markup Language (SAML) standard relieves IBM iNotes client users of the need to enter a password through the use of Web federated login. Users' IDs must be stored in an ID vault whose server is configured with host names for identity provider (IdP) partnerships. Important For this beta release only, add the following setting to the NOTES.INI file on all servers and Notes clients participating in Notes federated login: SECURE_USE_INMEM_IDFILES=1
Before you begin This procedure assumes that your organization uses more than one computer for the server running iNotes and the ID vault server. The IdP Catalog application must reside on both the vault server and the server running iNotes. Note: The SAML IdP needs to know where to send the user's SAML assertion. When configuring the IdP in a document in the IDP Catalog, you will specify a valid URL to the server that runs iNotes. The vault server is not contacted by the IdP directly. Instead, the SAML assertion is sent first to the server that runs iNotes, and that server in turn sends the assertion to the ID vault server.
26
Release Notes
Using a single computer for the Domino Web server running iNotes and the ID vault server
The ID vault server participating in Web federated login typically does not have the Web server configured, but your organization may use a single computer to run both servers. When the ID vault server is separate, it does not need to observe SSL. But if there is a requirement to use SSL for the Web server (for example, your federation is ADFS 2.0), and they are on the same computer, SSL must be enabled. About this task Web federated login requires four components:
z z z z
A Web browser client for all iNotes users Web server running iNotes and functioning as the home (mail) server for iNotes client users ID vault server SAML Identity Provider (IdP)
Perform these tasks: 1. Deploying the ID vault and security policy for Web federated login If the ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for iNotes client users, as well as a security policy to apply to such users. 2. Setting up the SAML identity provider and federation Decide whether your organization will use Microsoft ADFS or IBM Tivoli Federated Identity Manager (TFIM) as the identity provider for Domino and iNotes, and then follow all instructions to set up your TFIM federation or ADFS Relying Party Trust to support SAML authentication for Web federated login. The tasks you must accomplish include creating the SAML federation and exporting the IdP information to a metadata file, as well as setting up the Domino server that runs iNotes as a SAML partner. 3. Enabling the Web server that runs iNotes to provide SAML authentication You enable Security Assertion Markup language (SAML) authentication on using the IdP Catalog application. If the server is password-protected, there may be additional tasks. 4. Configuring the ID vault for Web federated login The Domino ID vault administrator sets up the vault to specify the name of the IdP Catalog document for the SAML identity provider (IdP). 5. Using a security settings policy to apply a Web federated login configuration to iNotes client users After SAML-based federated login is configured on your server and identify provider (IdP), you can assign its use to iNotes client users through the security policy.
27
Release Notes
Deploying the ID vault and security policy for Web federated login
If the ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for iNotes client users, as well as a security policy to apply to such users. Before you begin
z
You must have at least Editor access to the Directory, and access to, if one exists, the ID file and password for the ID vault server. users who are meant to participate in Web federated login must have their id files stored in the ID vault. Any user affected by the policy must have an Internet e-mail address that is known to either by being specified in a Person document in the Directory, or retrievable to the directory by use of directory assistance.
About this task A user's SAML assertion contains an e-mail address for the user. must be able to map each user's e-mail address to the user's distinguished name. This required mapping is why all users affected by the policy must have an Internet e-mail address specified in their Person documents in the Directory, so that the IdP can use that e-mail address in its SAML assertion. Procedure 1. Create the ID vault by running the ID vault creation wizard; for instructions, see the related topics. 2. As part of deploying the ID vault, create the security policy. On the server running iNotes, the policy exists in the Directory (names.nsf). The policy should also exist in the Directory on the ID vault server. 3. Ensure that the policy allows to use the ID vault. 4. Apply the security policy to user organizations (or to specific users) who will have their id files stored in this ID vault. What to do next Take these confirmation steps:
z
To see whether an users ID file has been uploaded to the vault, a vault administrator can open the ID vault application and check for the user's name in the Vault Users view. If your organizations users are managed in Directory Person documents, check a test user's Person document, Internet address field, for the user's e-mail address. If the users are managed in a directory configured with directory assistance, check the LDAP attribute (for example, the Mail attribute) for the user's e-mail address.
28
Release Notes
Setting up the SAML identity provider and federation

Decide whether your organization will use Microsoft ADFS or IBM Tivoli Federated Identity Manager (TFIM) as the identity provider for Domino and iNotes, and then follow all instructions to set up your TFIM federation or ADFS Relying Party Trust to support SAML authentication for Web federated login. The tasks you must accomplish include creating the SAML federation and exporting the IdP information to a metadata file, as well as setting up the Domino server that runs iNotes as a SAML partner. Procedure 1. Decide on the SAML federation you decide to use, and follow all instructions to configure the federation to work with Domino in the following cookbooks:
z z z z
Cookbook: Setting up new Relying Party Trust for AD FS 2.0 Cookbook: Setting up a new federation on TFIM 1.1 Cookbook: Setting up a new Federation on TFIM 2.0 Cookbook: Setting up a new partner on TFIM
2. If you are using TFIM as your federation, follow the instructions to configure a Domino server as a TFIM partner in the related topic below.
Enabling the Web server that runs iNotes to provide SAML authentication
You enable Security Assertion Markup language (SAML) authentication on iNotes using the IdP Catalog application. If the server is password-protected, there may be additional tasks. Before you begin
z
The identity provider (IdP) you intend to use with the Web server must be configured before you enable SAML on the Web server running iNotes. See the related topics. You must have access to the vault ID file and password, and have Editor access to the Directory. Obtain a copy of the metadata.xml file that was exported from the identity provider (IdP), and have its contents ready for import when you create the IdP Configuration document. You can store it in any location accessible to your Administrator client. If the IdP Catalog (idpcat.nsf) application already exists, you must have access to create documents in it. It is recommended that you use SSL security for your SAML configuration; if your federation is Microsoft Windows Active Directory (ADFS), SSL is required.
z z
Log in as a test user to confirm that SAML authentication is enabled. To do so, open a browser and enter the URL for the Web server running iNotes, for example: https://domino1.us.renovations.com. Depending on the IdP configuration, the test user may first be redirected to the IdP's login page before mail is displayed in the browser. If SAML authentication is properly configured at the server, you will see the test user's mail displayed in the browser. iNotes may prompt for a password to the ID file before allowing access to encrypted mail. After you have verified that an user can be authenticated by SAML to start , then follow the procedure below, after which the test user should no longer see a password prompt for access to encrypted mail.
29
Release Notes
About this task The IdP Catalog application must exist on the server that hosts the ID vault whether or not that is the same computer that runs iNotes. If the ID vault and the Domino server running iNotes are on separate computers, make sure that the catalog applications exists on each server, and create an IdP Config document specific to each server. The document for the server running iNotes and the document for the vault server each have a different value in the Host names or addresses mapped to this site field. If you are creating certificates for use with SAML-encrypted assertions, the iNotes server and ID vault server require separate certificates. Tip You can create the two IdP Config documents in one IdP catalog application, and replicate that application to both servers. The procedure below sets up the catalog document for the ID vault server. For the server running iNotes, follow instructions for the Domino Web server enablement for SAML. See the "What to do next" section below. The IdP Configuration document includes several fields whose values are supplied automatically when you import the metadata.xml file from the IdP. Important: If the server has a server.id file protected by a password, the administrator cannot use the Create Certificate button described below to create a metadata file. Instead, see the task in this sequence on creating the metadata file if the server.id file is password-protected. Important: If you later modify an existing SAML IdP Configuration document or add a new one, restart the HTTP process on the Web server so that the changes are recognized. Note: Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them. Procedure 1. From the Administrator client, create the IdP Catalog application (idpcat.nsf), using the template with the file name idpcat.ntf, or open the application if it already exists. CAUTION: If your server is running on UNIX, make sure the file name is all lower-case. 2. Assign access in the ACL only to any SAML administrator(s) and to the server. Note: If the ipdcat.nsf is replicated across other participating SAML servers, their entries will be added to the ACL. 3. Click Add IdP Config to create a new configuration document. Note: If you have additional Internet Site documents in your organization, and you want SAML authentication used at these additional Web sites, create separate associated IdP Configuration documents for each participating Internet Site. For details, see the related topic on configuring SAML from the Internet Site document.
30
Release Notes
4. On the Basics tab, in the Host names or addresses mapped to this site field, enter a virtual name for the ID vault. It is recommended that you use a virtual DNS hostname with a differentiating string such as "vault", so that it will not be confused with a similar hostname on the network. The resulting hostname does not need to be defined in DNS. Restriction: If your Web server is using SSL, you must include an IP address after the virtual host name, separated by a semicolon. Important: The virtual host name you enter here should match what is entered in either the Host name(s) field on the Internet Protocols /HTTP tab in the Server document (if the ID vault is on the server that runs iNotes, or the Host names or addresses mapped to this site field of the corresponding Internet Site document to the ID vault server. In this way you can specify that the ID vault server should share the common identity provider partnership already established for the server running iNotes. For example, enter vault.us.renovations.com;n.nn.nnn.n . 5. In the IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience. For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM Tivoli Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM). 6. In the Protocol version field, select the SAML version already configured for the partnership.
Important: SAML 2.0 is required if your federation is configured on Microsoft Windows ADFS. 7. Leave State for this Configuration document as Enabled (the default).
8. In the Federation product field, select either TFIM for IBM Tivoli Federated Identity Manager or ADFS for Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication. The default is ADFS. 9. In the Service provider ID field, enter the string that identifies the virtual name for the ID vault as a service provider partner with the IdP. This string should be the the HTTP URL for the server running iNotes with virtual name for the ID vault, for example, https://vault.domino1.us.renovations.com. Note: The ID vault server does not need to be enabled for HTTP; only the server running iNotes does. If SSL is not configured at iNotes and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://vault.domino1.us.renovations.com. If you use ADFS for the IdP, SSL is required, so you would use https in the string. Important: An entry is required in this field to use the Create Certificate button on the Certificate Management tab. 10. Click Import XML file, and specify the metadata.xml file exported from the IdP. It is recommended that you leave intact the information supplied from the imported XML file. Note: If the federation is configured on ADFS, this file may have a slightly different name, for example, FederationMetadata.xml.
31
Release Notes
Table 1. Fields in the IdP Configuration document whose values are generated from the metadata.xml file
Field Artifact resolution service URL Description generates the artifact URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovati ons.com/FIM/sps/samlT AM20/soap. Single sign-on service URL If the data is available in the imported XML file, generates the login URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovati ons.com/FIM/sps/samlT AM20/logininitial. Note: The value in this field is a subset of the expected URL to the IdP. The server generates the full URL when necessary. Signing X.509 certificate Encryption X.509 certificate imports the certificate code from file. imports the certificate code from file. Note: This field appears only when the Type field is set to SAML 2.0.
32
Release Notes
Field Protocol support enumeration
Description generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SA ML:2.0:protocol.
11. If you are using SAML 2.0 and need to export a certificate from to use at the IdP, on the Certificate Management tab, perform all of the following substeps: a. Enter a Company name field to identify the certificate in the metadata file (idp.xml) to be exported. Use any string convenient to your administrators. This string should identify the ID vault server, for example, Domino RenovationsID Vault. Tip: The name does not have to match anything in the actual IdP configuration. However, the string does have to be compatible with the syntax of the idp.xml file; that is, it cannot include characters such as angle brackets (< or >). b. Click Create Certificate . If prompted, save the document, return to the tab, and click the button a second time. When creating the certificate, pre-pends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported. c. In the Domino URL field, enter a string to identify the fully qualified DNS virtual name for the ID vault in a URL of the server. For example, enter: https://your_iNotes_ virtual_name_for_ID_vault_SAML_service_provider_hostname The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to . Note: If SSL is not configured at and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://vault.domino1.us.renovations.com.
33
Release Notes
Note: You can use the string you entered in the Service Provider ID field on the Basics tab. d. In the Single logout URL field, enter a URL if the IdP requires one, for example if your federation is Tivoli Federated Identity Manager (TFIM 2.0). The TFIM IdP with SAML 2.0 configuration requires a single logout URL to be specified at the IdP and in the metadata file, even though does not currently implement a SAML 2.0 single logout feature. An example of a logout URL is: https://your_tfim_server.com/sps/samlTAM20/saml20 12. At the top of the form, click the Export URL button to save the created idp.xml file as an attachment to the document. Note: This button is visible only when a previously created idp.xml file is not already attached. 13. Save and close the IdP Configuration document.
What to do next If you use Internet Site documents, follow the steps in the related topics on them, to enable SAML and to specify the preferred session cookie. Note: If you later change the authentication type in the Internet Site document to remove SAML, your change has no effect to disable SAML unless this IdP Configuration document is either disabled or deleted.
Configuring the ID vault for Web federated login

The Domino ID vault administrator sets up the vault to specify the name of the IdP Catalog document for the SAML identity provider (IdP). About this task The ID vault administrator must approve the use of an IdP that will provide SAML credentials. The ID vault administrator decides which IdP is trustworthy. Only credentials from a trusted IdP can be used for downloading an id file stored in this ID vault. The administrator supplies host names for identity provider (IdP) partnerships to the ID vault in a vault document. The vault server uses the host names to look up IdP information from the IdP Catalog application (idpcat.nsf). Tip: The Notes ID vault does not use the Domino Web (HTTP) server. On the ID vault server, the HTTP server task does not need to be configured.
34
Release Notes
Procedure 1. From the Domino Administrator, open the ID vault application (idvault.nsf), which by default is stored in the IBM_ID_VAULT directory. 2. From the Configuration view, open the vault document for the vault that will be configured for SAML authentication. 3. In the Web federated login approved IdP configurations field, specify a host name. Enter a value from the Host names or addresses mapped to this site field of the IdP Configuration document that corresponds to a trusted IdP which is approved to log in the iNotes users in this vault. For example, if the Renovations organization has created an IdP Configuration document in the IdP Catalog for vault.domino1.us.renovations.com, which is in partnership with a trusted IdP, then the Web federated login approved IdP configurations field in the vault document would contain vault.domino1.us.renovations.com. 4. Save and close the vault document.
Using a security settings policy to apply a Web federated login configuration to iNotes client users
After SAML-based federated login is configured on your server and identify provider (IdP), you can assign its use to iNotes client users through the security policy. Before you begin For this task, you will use the security policy already deployed earlier in a previous task of this sequence for users of your ID vault. Before you can apply the policy to support federated login, you also need to export a copy of the Internet SSL certificate from your federation (ADFS or TFIM 2.0), import that certifier into your Directory, and cross-certify. For the procedure, see the related topic on creating an Internet cross-certificate. Procedure 1. In the Directory, open the existing Security Settings policy for users of your organizations ID vault. 2. On the ID Vault tab, make sure there is an assigned vault. 3. Select the Password Management -> Federated Login tab. 4. Select Yes for Enable Web federated login with SAML IdP . 5. Select Set value whenever modified for How to apply this setting . 6. Select No for Allow User Changes . 8. Save and close the security policy.
35
Release Notes
Results For any user to whom the policy applies, the settings for federated login will be activated on the user's next login. What to do next Log in as a test user to confirm that Web federated login is enabled. To do so, open a browser and enter the URL for the Web server running iNotes, for example: https://domino1.us.renovations.com. Depending on the IdP configuration, the test user may first be redirected to the IdP's login page before mail is displayed in the browser. If SAML authentication is properly configured at the server, you will see the test user's mail displayed in the browser. If Web federated login is also properly configured, the test user should no longer see a password prompt for access to encrypted mail.
Cautioning client users about SAML and logout

Notes and Domino does not support a single logout feature, so if you configure SAML in your organization, make sure that your users employ safety methods at their desktops to prevent physical access to Notes/Domino resources. If a SAML IdP is configured to continuously remember that a user has logged in on a particular machine, the IdP may leave cookies or set other state to identify the user. Notes/Domino logout mechanisms do not affect the IdP, or the state of the user's desktop containing user information set by the IdP. After a user has logged in to the SAML IdP, the IdP may seamlessly provide SAML assertions on behalf of the user to be accepted for authentication by a Domino server configured as a SAML SP. It is critical that the end user's computer is secured (for example, using an operating system "Lock computer" feature or password-protected screen saver) to prevent someone from walking up to the user's unattended machine and gaining access to Notes/Domino resources. Especially for Domino web users sharing one desktop, there is potential for confusion at the IdP. Once a user has logged in at the IdP, the IdP might assume any subsequent usage is a continuation by the same user. This scenario can be avoided if multiple users at one desktop are required to log in as separate users to the operating system, and if the IdP is configured to authenticate any user by integrated Windows authentication using SPNEGO/Kerberos (IWA). If IWA is used at the IdP, the IdP will not confuse the users who have logged in separately to the operating system. You can use the command DEBUG_SAML in the server console or as a parameter in the server NOTES.INI file to enable/disable SAML diagnostics. The setting is dynamic; it does not require a Domino server restart. To enable SAML diagnostics, enter the following: set config DEBUG_SAML=1 To disable SAML diagnostics, enter the following: set config DEBUG_SAML=0 SAML debug output that is http specific: This is the SAML redirect URL which would be sent back to the browser from the http server after attempting to authenticate in Domino:
Serviceability
36
Release Notes
DEBUG_SAML=1 Use this parameter to trace general http processing. For example, you may want to check the SAML redirection URL or see what user is being authenticated. SAML Redirect URL [1108:000A-09DC] SAML1RedirectURL: https://yourservername.com/FIM/sps/saml TAM/saml11/login?TARGET=http://yourusername.yourservername.com/testdb.nsf SAML User name [1108:000A-09DC] SAML User - sec_master [1108:000A-09DC] SAML Timeout Before date: - 2011-09-13T15:43:04Z DEBUG_SAML=2 Use this parameter to get detailed information about what is going on in the SAML parsing code. This may help in determining how far long the parsing went before failing. SAML Parsing debug for above decoded SAML assertion: [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Reference size 33 : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Certificates size 2BC : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Digest size 1C : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Signature size AC : 0 [1108:000A-09DC] 09/13/2011 11:53:05.59 AM SECVerifySAMLSignature> DecodeB64 Dig est: 0 [1108:000A-09DC] 09/13/2011 11:53:05.59 AM SECVerifySAMLSignature> DecodeB64 Cer tificates: 0 [1108:000A-09DC] 09/13/2011 11:53:05.61 AM SECVerifySAMLSignature> DecodeB64 Sig nature: 0 [1108:000A-09DC] 09/13/2011 11:53:05.92 AM SECVerifySAMLSignature> GetInetCertif ierCertFromNAB: 0 [1108:000A-09DC] 09/13/2011 11:53:05.92 AM SECVerifySAMLSignature> Cert509_GetSu bjectPublicKeyInfo: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCreateKeyO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCreateAlgO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCryptoInit :0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCryptoUpda te: 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECVerifySAMLSignature> SECCryptoUpda te - Final : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECVerifySAMLSignature> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECSAMLVerifySignatureOnNode> SECVeri fySAMLSignature : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECSAMLVerifySignatureOnNode> Exiting :0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAML> SECSAMLVerifySignatureO nNode : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAMLAssertion> NotOnOrAfter : 2011-09-13T16:03:04Z : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAMLAssertion> NotBefore : 20 11-09-13T15:43:04Z : 0
37
Release Notes
[1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> NameIdentifier : sec_master : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> Audience : htt p://tboyd64.swg.usma.ibm.com : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> SECParseSAMLAssertion : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Reference size 2C : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Certificates size 2BC : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Digest size 1C : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Signature size AC : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Dig est: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Cer tificates: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Sig nature: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> GetInetCertif ierCertFromNAB: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> Cert509_GetSu bjectPublicKeyInfo: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCreateKeyO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCreateAlgO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoInit :0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoUpda te: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoUpda te - Final : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECVeri fySAMLSignature : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> Exiting :0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> SECSAMLVerifySignatureO nNode : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> Exiting : 0 DEBUG_SAML=4 Print errors that occured during http processing. For example: Unable to decode SAML token: 22:22 SECParseSAML failed with error: 22:22 DEBUG_SAML=8 If you are interested in looking at the decode SAML assertion on the console, use this parameter to help troubleshoot assertion issues.
38
Release Notes
DEBUG_SAML=15 If you are interested in looking at all the above SAML information on the console, use this parameter to help troubleshoot issues. DEBUG_SAML=31 If you need highly detailed troubleshooting information, particularly regarding lookup and management of information in idpcat.nsf, use this parameter.
Decoded SAML assertion

[1108:000A-09DC] Decoded SAML assertion: [1108:000A-09DC] <samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" x mlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:t c:SAML:1.0:protocol" IssueInstant="2011-09-13T15:53:04Z" MajorVersion="1" MinorV ersion="1" Recipient="http://yourusername.yourservername.com/names.nsf?SAMLLogin" Respo nseID="FIMRSP_637dd985-0132-1022-808c-bfa9f4b3f4df"><ds:Signature Id="uuid637dd9 86-0132-1ce9-b3a8-bfa9f4b3f4df"><ds:SignedInfo><ds:CanonicalizationMethod Algori thm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:Si gnatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:Signat ureMethod><ds:Reference URI="#FIMRSP_637dd985-0132-1022-808c-bfa9f4b3f4df"><ds:T ransforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-s ignature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xmlexc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml -exc-c14n#" PrefixList="samlp saml ds"></xc14n:InclusiveNamespaces></ds:Transfor m></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig# sha1"></ds:DigestMethod><ds:DigestValue>Wjr6QQDgyMHHOWq8oxPAMy3EKtQ=</ds:DigestV alue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L8tnBtPxnIzyf/tJe//PWJLiZ oopyxXOP2HajtFcqcvU32X7olautuzM/wx5aKwQzH0fMEbstxTnrCtTmKNX30sIFjcjjDtL4/s0jqfzJ 5vtzsmnR9S1p9axI4NVHiZQUKkuVCHetdJFsJOpEr2rpSS0rBtLFt52xP0pW3sc2Ws=</ds:Signatur eValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBzCCAXCgAwIBAgIEQH26vjAN BgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQ LEwVUQU1l QjEYMBYGA1UEAxMPZmltZGVtby5pYm0uY29tMB4XDTA0MDQxNDIyMjcxMFoXDTE3MTIyMjIyMjcxM Fow SDELMAkGA1UEBhMCVVMxDzANBgNVBAoTBlRpdm9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgN VBAMTD2Zp bWRlbW8uaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7 C85m 421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB5qgniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1 K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1/wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBg kq hkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX+dyGc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkO g12 X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+QxmlaE0OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfO hSE6u7BLdI26cZNdzxdhikBMZPgdyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo> </ds:Signature><samlp:Status><samlp:StatusCode Value="samlp:Success"></samlp:Sta tusCode></samlp:Status><saml:Assertion AssertionID="Assertion-uuid637dd97d-01321840-81b4-bfa9f4b3f4df" IssueInstant="2011-09-13T15:53:04Z" Issuer="https://itiws2.swg.usma.ibm.com/FIM/sps/samlTAM/saml11" MajorVersion="1" MinorVersion="1">< saml:Conditions NotBefore="2011-09-13T15:43:04Z" NotOnOrAfter="2011-09-13T16:03: 04Z"><saml:AudienceRestrictionCondition> <saml:Audience>http://yourusername.yourservername.com</saml:Audience> </saml:AudienceRestrictionCondition></saml:Conditions><sam l:AuthenticationStatement AuthenticationInstant="2011-09-13T15:53:04Z" Authentic ationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameId
39
Release Notes
entifier Format="urn:oasis:names:tc:SAML:1.0:assertion#emailAddress">sec_master< /saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasi s:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmatio n></saml:Subject></saml:AuthenticationStatement><ds:Signature Id="uuid637dd97e-0 132-1506-9d3e-bfa9f4b3f4df"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:Signat ureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureM ethod><ds:Reference URI="#Assertion-uuid637dd97d-0132-1840-81b4-bfa9f4b3f4df"><d s:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelope d-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/x ml-exc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/ xml-exc-c14n#" PrefixList="saml"></xc14n:InclusiveNamespaces></ds:Transform></ds :Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"> </ds:DigestMethod><ds:DigestValue>T6D1z2RUdH/RpRJWeANFvjANKcg=</ds:DigestValue>< /ds:Reference></ds:SignedInfo><ds:SignatureValue>KezzHeyIBP/RmGe8H0LPgr/LE/EYglx IUO73qMQzTNPtp/vpbP3t34HrkCIDQ/9Y2z+F9XlgrG0jqEswzIegFjywX/J5lHoKdsz0RbvSqTR19F5 nIClJ3LdxR2PgBSC6/R7lVyiJhmyBLi62FN6kwdA7gbGtGk4MYnonRBSMLbM=</ds:SignatureValue 09Certificate>MIICBzCCAXCgAwIBAgIEQH26vjANBgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJV Uz EPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQLEwVUQU1lQjEYMBYGA1UEAxMPZmltZGVtby5pYm0 uY29tMB 4XDTA0MDQxNDIyMjcxMFoXDTE3MTIyMjIyMjcxMFowSDELMAkGA1UEBhMCVVMxDzANBgNVBAoT BlRpdm 9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgNVBAMTD2ZpbWRlbW8uaWJtLmNvbTCBnzANBgkqhki G9w0BAQ EFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7C85m421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB 5q gniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1 /wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX +dy Gc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkOg12X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+Qxmla E0 OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfOhSE6u7BLdI26cZNdzxdhikBMZPgdyQ==</ds:X 509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></saml p:Response>
40
Release Notes
Changes to policy settings for return receipts
In this beta release, there are changes and enhancements to return receipt behavior on both outgoing and incoming mail messages. For Notes client users, the administrator can configure the behavior through a combination of policy settings and NOTES.INI settings on the Domino server. The settings are configured entirely through NOTES.INI settings for IBM iNotes client users (see below). Outgoing messages (Notes client users ) The administrator can prevent client users from using settings for a return receipt on outgoing messages. Previously, administrators could control only default behavior of whether or not return receipts would be requested. Now an additional setting allows administrators to disable return receipt settings completely. On the Mail > Basics tab of Mail Settings policy documents, the check box is under Outgoing Mail Checking: Do not allow users to set return receipt . After administrators apply this setting by policy, the following elements appear dimmed for client users:
z z
the Return receipt check box in the Delivery Options dialog box the Send me a Return Receipt when recipients read mail I send check box on the Mail > Basics tab in Mail Preferences (Notes client users only; iNotes users do not have this preference) the Return receipt check box at the top of a mail message (visible if the client user selects Display->Additional Mail Options)
Incoming messages (Notes client users ) By default, when a Notes client user receives an incoming message requesting a return receipt, if Do not allow users to set return receipt has been set in a policy that applies to the user, the user now sees this prompt:
The administrator can prevent this prompt from appearing at all for Notes client users, and also choose whether to send a return receipt on such incoming messages without the users' knowledge, or send no receipt. The following parameter prevents the prompt from appearing and sends a return receipt:
ReturnReceiptDisabled_AlwaysSend=1
The following parameter prevents the prompt from appearing and sends no return receipt (the return receipt item is stripped from message).
ReturnReceiptDisabled_NeverSend=1
41
Release Notes
iNotes client users In this beta release, you can set a server NOTES.INI parameter to show (or suppress) a similar prompt for iNotes client users that appears by default. The prompt lets the user choose whether to acknowledge a request for a return receipt on an incoming message. If you do not set the NOTES.INI parameter, the prompt always appears when the user receives such a request.
z
iNotes_WA_SendReturnReceipt=2 Displays a prompt giving the iNotes user the choice whether to acknowledge a request for a return receipt. iNotes_WA_SendReturnReceipt=1 Always sends a return receipt; does not notify the user. iNotes_WA_SendReturnReceipt=0 Never sends a return receipt; does not notify the user.
z z
Program document now supports server groups and pattern matching
In this beta release, you can specify the names of server groups in the Servers to run on field in the Program document. Any server group name that you use must be a Server only type of group (not a multi-purpose group). You can now also use a pattern-matching character in the Servers to run on field. A pattern-matching character -- the question mark (?) -- allows you to include all servers where one or more subsequent characters in the server name vary, for example: Sales??/Renovations includes Sales01/Renovations, Sales02/Renovations, and so on. An additional pattern-matching enhancement is now provided: You can use an asterisk (*) anywhere within a group name; you are not limited to the leftmost component of the hierarchical name. For example: Sales*/Renovations includes Sales001/Renovations, Sales002/Renovations, and so on.
IBM HTTP Server (IHS) can now run on the same computer as a Domino server and support Transport Layer Security (TLS)
Domino has the option of running the IBM HTTP Server on the same computer as a Domino HTTP server; the purpose of this enhancement is to support the Transport Layer Security (TLS) protocol. Note In this beta release, this IHS server module is supported only on Windows. In this beta release, a pass-through reverse proxy module named mod_domino is provided to forward HTTP requests to the Domino HTTP server. The pass-through reverse proxy module creates the context necessary to have the Domino HTTP server provide the HTTP request context expected by Domino Web applications, as if the Domino HTTP server were in direct contact with the browser client. Using the proxy module allows an IHS server to run "in front of" the Domino server.
42
Release Notes
Installing the module 1. Start the installation of the Domino server. 2. Under Choose the installation type that best suits your needs , select Customize Domino Server . 3. Under Select the features for "Lotus Domino" you would like to install , enable the check box IBM HTTP server (installed). 4. Complete the installation, but do not start the server yet. Configuring the IBM HTTP server to reside on the same computer as the Domino HTTP server The IBM HTTP server configuration file that is used to start the IBM HTTP server is named domino.conf and is located in the Domino Program directory under the ihs\conf subdirectory. The installation does not assume any port configuration. By default all listen ports are disabled in the domino.conf file. You must enable any listen ports you want the server to use. 1. To allow the IBM HTTP Server to accept HTTP connections, enable normal HTTP port 80, and remove the comment character (#) for the following line(s) in the domino.conf file: # IPv4 support: #Listen 0.0.0.0:80 # Uncomment the following line for IPv6 support on Windows XP or Windows # 2003 or later. Windows IPv6 networking must be configured first. # Listen [::]:80 Example (section showing port 80 enabled for IPv4): # IPv4 support: Listen 0.0.0.0:80 # Uncomment the following line for IPv6 support on Windows XP or Windows # 2003 or later. Windows IPv6 networking must be configured first. # Listen [::]:80 2. To allow the IBM HTTP Server to accept HTTP SSL connections, enable the SSL/TLS port 443, and remove the comment character (#) for the following line(s) in the domino.conf file: # To enable ssl, uncomment and add/change the # appropriate directives #Listen 0.0.0.0:443 ## IPv6 support: #Listen [::]:443 #<VirtualHost *:443> #SSLEnable #SSLClientAuth optional #SSLProtocolDisable SSLv2 #SSLProtocolDisable SSLv3 #</VirtualHost> #KeyFile <domino_program_directory >/ihs/ihsserverkey.kdb #SSLDisable Example (section showing port 443 enabled for IPv4 with a SSL keyring file located on d:/keys/myserver.kdb): Listen 0.0.0.0:443 ## IPv6 support: #Listen [::]:443 <VirtualHost *:443>
43
Release Notes
SSLEnable SSLClientAuth optional #SSLProtocolDisable SSLv2 #SSLProtocolDisable SSLv3 </VirtualHost> KeyFile d:/keys/myserver.kdb SSLDisable # 3. To prepare the server to accept SSL/TLS connections, configure the SSL/TLS key database. Use the ikeyman utility provided with the IBM HTTP Server, and located in the Domino Program directory under ihs\bin, to create and configure the key database. 4. After the key database is created, make sure the KeyFile directive in the portion of the domino.conf file shown above points to the fully qualified file name of the key database. Note For an existing Domino server, the Domino key ring file cannot be used as a key database, and all necessary certificates that exist in the Domino key ring file must be re-imported from the originating Certificate Authorities into the IBM HTTP Server key database. See the following link for more information on the configuration of SSL/TLS in the IBM HTTP server: Guide to properly setting up SSL within the IBM HTTP Server
Configuring the Domino HTTP server to start, stop, and run the IBM HTTP server
In the NOTES.INI file on the Domino server, add the following parameter: HTTPIHSEnabled=1 This setting changes the Domino HTTP server to behave as follows:
z z
The setting disables the usual ports configured in the Domino Directory (these are most often HTTP port 80 and the HTTPS port 443). The Domino HTTP server connection settings are overridden with settings that maximize the re-use of connections between mod_domino/IBM HTTP Server and the Domino HTTP server. By default, the Domino HTTP server listens on port 9288 for loop back connections from mod_domino/IBM HTTP Server. The Domino HTTP server only accepts connections that originate from the same computer. By default, mod_domino uses the local loop back address of 127.0.0.1 to connect to the Domino HTTP server. Both server processes must run on the same computer.
Environment variables for startup

Before the IBM HTTP Server is started by the Domino HTTP server, the following environment variables are set automatically in this configuration; you should not need to modify any of them. These environment variables are specified in the ihs\conf\domino.conf file and are used to specify the values of IBM HTTP Server directives in the domino.conf file. DOMINO_IHS_ROOT=C:/domino/ihs. Set to the root directory where the IBM HTTP Server is installed
44
Release Notes
This setting cannot be changed . DOMINO_SERVER_NAME=foo.swg.usma.ibm.com. Set to the fully qualified tcp name of the machine the Domino Server is installed on. This setting cannot be changed. DOMINO_DOCUMENT_ROOT=c:/domino/data/domino/html. Set to the document root where Domino html files are located. This setting cannot be changed. DOMINO_DOCUMENT_DIRECTORY=c:/domino/data/domino. Set to the base directory where Domino file system files may reside This setting cannot be changed. DOMINO_PORT=9288. Set to the port number that the Domino Web Server listens on for connections from mod_domino. The default port is 9288. This setting can be changed by setting the following notes.ini value. HTTPConnectorPort=<port number> DOMINO_MAX_REQUESTLINE=4108. Set to the maximum request line length, this setting is derived from Maximum URL length: field on the http tab in the name and address book. A fix number of bytes is added to account for the HTTP method and HTTP protocol strings. DOMINO_TECH_SUPPORT=c:/domino/data/IBM_TECHNICAL_SUPPORT. Set to the domino technical support directory. This setting cannot be changed. DOMINO_RESPONSE_TIMEOUT=300. Set the amount of time in seconds that mod_domino plugin will wait for the initial response from the Domino HTTP server. The default is 300 seconds for a non-traveler server. For a traveler server this setting is set to the Heartbeat Algorithm Maximum Interval: field on the Lotus Traveler tab in the name and address book. This setting can be changed by the following notes.ini HTTPIHSModDominoResponseTimeout=<time out value in seconds>
45
Release Notes
DOMINO_THREADS=120. This value is set to the number of Domino threads multiplied by three (3) for the optimal threads to connections between mod_domino and the Domino HTTP server. This is the default for non-traveler servers. For Lotus Traveler Servers this number is set to the same number of threads as the Domino HTTP server. This setting can be changed by the following notes.ini, however the general recommendation is to leave it alone unless there is a use case that requires a change. HTTPIHSThreads=<number of IBM HTTP Server threads>
Serviceability settings
You can use a NOTES.INI setting to display environment variables that are used in the domino.conf configuration file. Add the following parameter to the NOTES.INI file: HTTPIHSDebugStartup=1 Example output: [06F4:0002-13C4] Set IHS config environment var DOMINO_IHS_ROOT=C:/domino/ihs. [06F4:0002-13C4] Set IHS config environment var DOMINO_SERVER_NAME=envy.swg.usma.ibm.com. [06F4:0002-13C4] Set IHS config environment var DOMINO_DOCUMENT_ROOT=c:/domino/data/domino/html. [06F4:0002-13C4] Set IHS config environment var DOMINO_DOCUMENT_DIRECTORY=c:/domino/data/domino. [06F4:0002-13C4] Set IHS config environment var DOMINO_PORT=9288. [06F4:0002-13C4] Set IHS config environment var DOMINO_MAX_REQUESTLINE=4108. [06F4:0002-13C4] Set IHS config environment var DOMINO_TECH_SUPPORT=c:/domino/data/IBM_TECHNICAL_SUPPORT. [06F4:0002-13C4] Set IHS config environment var DOMINO_RESPONSE_TIMEOUT=300. [06F4:0002-13C4] Set IHS config environment var DOMINO_THREADS=120.
Troubleshooting the IBM HTTP Server

Changing the Windows Registry On Windows systems, it is possible to hit a TCP port exhaustion condition. This can be caused by Domino Web applications that do not send a content-length or a chunked encoded header in the HTTP response. This forces the Domino HTTP server to close the loop back connection that is used by the mod_domino plugin to communicate with the Domino HTTP server. Every attempt is made to re-use the loop back connections between the mod_domino plugin and the Domino HTTP server. However, to prevent this condition from occurring, it may be necessary to add/change the following Windows TCP Registry settings.
46
Release Notes
The settings are located under the following registry key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Value Name: Value Data: Value Name: Value Data: TcpTimedWaitDelay 30 - Should set the value to the minimum value of 30 MaxUserPort 65534 -- Should be set to the maximum value of 65534
Modifying local firewall software Lab testing has found that some firewall software running on the server may prevent and/or limit the number of loop back connections that can be made between the mod_domino plugin and the Domino HTTP server. It may be necessary to remove or configure local firewall software not to interfere with the operation of this plugin.
Fault Analyzer Task calculates dispositions by default
The Fault Analyzer task has been enhanced. Using a disposition value, fault reports are sorted in a new view to help explain the type of issues encountered and to allow administrators to focus on the reports important to them. Each fault report in LNDFR.NSF may be assigned a single disposition value. The new by Disposition view categorizes the documents, with the following top-level categories:
z z z z z
Problem Possible Problem (possibly actionable ) Possible Problem (likely NOT actionable ) Informational Unknown (investigate)
Note: A document categorized as Unknown (Investigate) does not have a disposition value. Problem category The fault reports in this category have sufficient information to match their crash stacks against previously reported crashes, and the crash is not one of the special cases listed in the Possible Problem (possibly actionable) category.
Table: Subcategories for a Problem

Dispositions Crash with stack Out of Memory Description Indicates that the client or server crashed, and information from normal data collection is available. The crash stack of the active thread is used to locate similar problems. Represents a crash in which the Java virtual machine (JVM) ran out of a memory resource such as heap space. Analyzing the attached Javacore file can help investigate the objects consuming the heap. IBM provides tools such as ISA and HeapAnalyzer to analyze this type of problem. See the IBM SDK Java Technology Edition Version 7 information center ( http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp) for more information Java troubleshooting. Represents an out-of-memory condition caused by too many Java threads being created. The corresponding Javacore file should be analyzed to identify the excessive threads.
Out of Memory Runaway Threads
47
Release Notes
Possible Problem (possibly actionable ) category The fault reports in this category have sufficient information to investigate the problem, but are not likely to result in action that the administrator should take.
Table: Subcategories for a Possible Problem (possibly actionable)
Dispositions Launched Notes multiple times Possible Hang Description Indicates that the user quickly launched multiple instances of the Notes client, resulting in a hang during Notes startup. In Notes 8.5.2 FP2 and Notes 8.5.3 (SPR #MLAT87XSS7), the situation is detected, the first launch succeeds, and the subsequent ones have no effect. Indicates that the Notes client was manually terminated while it appeared to be doing useful work. It is recommended that you use the NSD a -hang to help determine if the client is actually progressing or is hung. If a similar active stack occurs in many reports, that information should be provided to IBM for further investigation. Represents a crash in which the Java virtual machine (JVM) ran out of a memory resource such as heap space. Analyzing the attached Javacore file can help investigate the objects consuming the heap. IBM provides tools such as ISA and HeapAnalyzer to analyze this type of problem. See the IBM SDK Java Technology Edition Version 7 information center ( http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp) for more information Java troubleshooting. Indicates that the Notes client failed to launch properly because a previous process called NotesInit() and terminated normally without calling NotesTerm(). The crash occurs when the client attempts to attach to previously allocated shared memory. This previous process could be an application provided by IBM, a third party application, or a user-written application. Since Notes supports extensions through plug-ins or the extension manager, the Notes process might be identified while the erroneous code might be in a third-party plug-in or extension. After the crash, the client launch will launch without errors. The common occurrences reported by users in this situation included the Notes preloader (fixed in Notes/Domino 8.5.2 FP4 by SPR ATHN8DQD8D), IBM Traveler (fixed), and a third-party application with a work around documented in IBM TechNote #1417172, Lotus Notes 8.5.x crashes on NCExtMgr.MainEntryPoint ( https://www-304.ibm.com/support/docview.wss?uid=swg21417172). In Notes 8.5.3, Fault Analyzer was enhanced to identify the previous process which caused the problem. If Fault Analyzer is able to determine the erroneous process, it inserts the name of the executable which did not perform the NotesTerm() in the crash stack. See theBadProcess. exe listed below, where theBadProcess represents the name of the problem executable. ... AccessAllProtected AccessAll Access LockMem AccessSHTChunksInt OSMemGetFaultHandle OSLockPool theBadProcess .exe << the executable name inserted by FaultAnalyzer OSLockVPool OSInitWaiterSemProcess ... The source code for theBadProcess .exe should be scanned for a missing NotesTerm.
Previous process lingered causing bad start
Process did not balance Notes API Init/Term
48
Release Notes
Dispositions User Kill - Client appears idle User Kill Performing network I/O Process did not balance Notes API Init/Term Process missing NSD defect resulted in incomplete data
Description Indicates that the user manually terminated the client while it appeared to be waiting for input. Indicates that the user manually terminated the Notes client while waiting for a network operation to complete. It is recommended that if this occurs frequently in the same situation, that information be provided to IBM to explore mechanisms to mask the delay from the user. Indicates that a previous process abnormally terminated without doing balanced OSInit/OSTerms. The most likely causes are that the process crashed and did not trigger an NSD Indicates that the NSD data is incomplete.
Possible Problem (likely NOT actionable ) category The fault reports in this category do not contain sufficient information to investigate the problem. However, IBM is constantly improving its data collection techniques, and fault reports on similar crashes in the future will be likely to contain more necessary information.
Table: Details of the dispositions in this category
Disposition Crash identified but NSD/Javacore missing Crash process not found in NSD Had NSD or Javacore but no stacks were extracted No Notes Processes are running 1. No NSD or Javacore Notes2 exited with code=0 Notes2 missing Notes2 User Kill 1. NSD prematurely terminated by user Notes2 terminated by call to System.exit() Description The console log was used to identify that a crash occurred but there is no NSD or Javacore from which to extract a crash stack. The crash process was identified but the crash stack is not in the NSD. An NSD or Javacore is available but fault analyzer was unable to extract the crash stack from it. An NSD is available but it does not contain any Notes processes. Neither an NSD nor Javacore is available. Notes2 unexpectedly exited normally. Notes2 was missing for an unknown reason. Notes2 was manually terminated by the user. NSD was terminated by the user before necessary data was collected. Some unknown Java code called System.exit() which terminated the Java virtual machine. This code should be identified and changed. Nlnotes terminated for an unexplained reason.
Improper nlnotes shutdown
49
Release Notes
Informational category The reports in this category require no action. Either the faulting computers are configured not to mail attachments to the fault reports database, or a user took some manual action to send information from a running system.
Table: Summary of the dispositions in this category

Disposition ISA data collection Manual NSD, and/or javacore sent in via ADC No attachments found No scannable attachments found NSD called with kill 1. Notes terminated during OS shutdown Notes terminated during OS shutdown (JRE) NSD prematurely terminated by user Incomplete data collection due to maximum size settings Description The user initiated a manual sending of ISA logs to the database. No attempt is made to analyze ISA collections. Information from a running system was mailed to the database. Document does not contain attachments. Document contains attachments but none are of the form scanned by Fault Analyzer. NSD was used to kill the Notes client or Domino server without collecting any other information. User terminated the OS while the Notes client was running. User terminated the OS while the Notes client was running. This is a specific case of the previous disposition. NSD was terminated by the user before the necessary data was collected. The data collected is incomplete. This was likely caused by a policy setting which constrains the amount of data collected.
Using the Quality of Service (QoS) feature to help keep Domino servers available
Quality of Service, or QoS, is a feature in this release designed to react to the general operation of a Domino server in order to keep that server up and functioning reliably at all times. If QoS detects that a server is not responding or hung, QoS probing can be configured to email an administrator about the problem and/or automatically terminate the server and restart it. QoS log information can also be useful for analysis by IBM Support. Caution In this beta release, QoS and fault recovery should not be enabled at the same time. Important If QoS (re)starts a server that has a password on the server.id file, the server will not start until an administrator connects to the console on that server and enters the password. Therefore, if you want QoS to be able to (re)start Domino without intervention on a specific server, for example at inconvenient times when an administrator is not available for a manual password entry, do not use a password on the server.id file on that server. QoS requires that the Domino server be run under the java controller (run the server using java console: 'nserver -jc'). On Windows systems, use 'nserver', and on all other platforms use 'server').
50
Release Notes
Caution For the followed six INI values, all described below, if you do not configure the value, or configure it as less than the default, the default value applies. You can only change the value to be greater than the default.
z z z z z z
QOS_PROBE_INTERVAL QOS_PROBE_TIMEOUT QOS_RESTART_LIMIT_PERIOD QOS_SHUTDOWN_TIMEOUT QOS_RESTART_TIMEOUT QOS_APPS_TIMEOUT
Enabling QoS when starting Domino Install this beta release of Domino. Start, and then stop, the Domino server. Open a command prompt and navigate to the directory Domino where Domino is installed. At the command prompt, run 'nserver -jc' to start the server and server console. At the command prompt, run 'nserver -jc -q -y' to stop the server and server console. This action creates the initial dcontroller.ini file in the server's data directory. 6. Add the following setting to the dcontroller.ini file: QOS_ENABLE=1 7. Add the following setting to the Domino server notes.ini file: QOS_ENABLE=1 When issuing the (n)server command -jc runs the java console. The -q option quits immediately after startup has completed, and the -y answers 'yes' to the quit verification. Verifying that QoS is running If you are the not the administrator who enabled QoS, you can verify the correct setup by checking for the following settings: In the notes.ini file: QOS_ENABLE=1 In the dcontroller.ini file (all but the first are optional): QOS_ENABLE=1 QOS_MAIL_TO=email address to send notifications to QOS_MAIL_SMTP_SERVER=name of server to use when sending notifications through SMTP QOS_NOKILL=1 - When this is set to 1, it stops QOS from killing the server when an event is triggered QOS_MAIL_ATTACH_LOGS=1 - If a notification is sent, a setting of 1 attaches the NSD logs 1. 2. 3. 4. 5.
51
Release Notes
Configuring QoS The qosprobe addin task can be configured with the following settings on the Domino server in the server NOTES.INI file:
z z
QOS_PROBE_INTERVAL=n The probe interval in minutes. This can be set in the notes.ini. The default is 1 minute. QOS_PROBE_TIMEOUT=n The probe timeout in minutes. This can be set in the dcontroller.ini. The default is 5 minutes.
Note QOS_PROBE_TIMEOUT should be much greater than QOS_PROBE_INTERVAL. If the timeout occurs before the probe is set to respond, the server will be restarted constantly. The server controller monitors a message queue to which the qosprobe addin communicates its probing results. (SUCCESS, ERROR, TIMEOUT). The messages are captured in the qosctnrlrtimestamp .out file found in the server data directory. The following is an example of a SUCCESS message: 2010/01/07 07:42:56 QoS Probe: SUCCESS (88ms) The following is an example of an ERROR message: 2010/01/07 08:05:59 QoS Probe: ERROR: ProbeError=4803 When the QoS server is enabled, on TIMEOUT, the controller will smart kill the server and restart. A timeout can happen in either of the following cases:
z z z z
The NSFDbOpen or NIFOpenCollection calls used by the probe return Domino's ERR_TIMEOUT error. This error is sent to the controller and a smart kill/restart is initiated. The controller does not receive a message from qosprobe within the timeout period ( QOS_PROBE_TIMEOUT). This can happen in one of the following ways: qosprobe was told to quit ('tell qosprobe quit') or is not running. qosprobe becomes hung while probing.
If the controller receives a probe timeout, it may not initiate a server kill/restart because long running and/or load intensive operations are running (and thus may have caused the probe to time out). These operations include BACKUP, COMPACT, DBCOPY, FIXUP and DBPURGE. In these cases, you see the messages like the following ones in the qoscntrlrtimestamp .out file: 2010/01/07 07:42:56 QoS Controller: The controller has received a probe timeout. 2010/01/07 07:42:56 QoS Controller: There are long running applications probing will pause until they have completed. If this condition is detected, the controller will then allow the lengthy ("long-running") operation more time to complete. If any lengthy operation fails to complete within that amount of time, the controller will then proceed with the smart kill/restart. You see a message like the one in the following example in the qoscntrlrtimestamp .out file: 2010/01/07 07:42:56 QoS Controller: Applications are not making progress.
52
Release Notes
Pausing and resuming QoS QoS provides a mechanism to pause or resume the QoS service at a specific time. Pausing QoS avoids allowing the server to be killed during an option that is expected to take a long time or that is critical to server operation; examples are backups or other maintenance operations. Temporarily disabling QoS allows these operations to complete without being misinterpreted by QoS as a server problem. To pause QoS probing, use the following command at the Domino server console: tell qos pause With this pause, only the QoS probe is running; it will not kill or restart the Domino server To resume QoS probing, use the following command at the Domino server console: tell qos resume Limiting QoS restarts QoS provides the option to limit the QoS restart times during one interval. When the restart times reach the time limitation, the QoS service is deactivated. The following parameters are set in the dcontroller.ini file. QOS_RESTART_LIMIT_ENABLE= Determines whether to enable the restart limitation. The default is 0. QOS_RESTART_LIMIT_MAXIMUM= Set the maximum restart times during specific interval(set by QOS_RESTART_LIMIT_PERIOD). The default is 3. QOS_RESTART_LIMIT_PERIOD= Restart time limitation interval; QoS allows only the restart times during this period. The default is 30 minutes. Running QoS with a no kill option You can run QoS with a no kill option. When QoS detects server exceptions, it sends a single email to a specified administrator with notification of the exception instead of killing and restarting the server directly. (You can also set QoS to send mail to an administrator whether or not you enable the no kill option.) The following parameters are set in the dcontroller.ini file. QOS_MAIL_TO= Administrator mail address. QOS_MAIL_SMTP_SERVER= SMTP mail server ip and SMTP port with the format <server ip>:<port> QOS_NOKILL= Whether to enable no kill option. Set to 1 to enable the option and 0 to disable it. QOS_MAIL_ATTACH_LOGS= Whether to attach logs in the mail sent to administrator Important The QOS_MAIL options do not support a user name/password combination. The specified SMTP server must accept mail without password authentication.
53
Release Notes
Running QoS with other configuration options The following parameters are set in the dcontroller.ini file. QOS_DISABLE_PROBING=1 Disable all QoS probing. QOS_SHUTDOWN_TIMEOUT= The length of time a shutdown is allowed to take before QoS will smart kill the server. The default is 5 minutes. QOS_RESTART_TIMEOUT= The length of time a server restart is allowed (including RM restart) to take before QoS will smart kill the server. This time starts *after* the server is completely down (clean). The default is 5 minutes. QOS_APPS_TIMEOUT= The length of time a long running application is allowed to continue without showing progress before QoS smart kills the server. The default is 10 minutes. QoS kill events The following is how the server and server controller should behave during kill events.
z z z
'nsd -kill' does not produce an nsd. It produces only a kill_* file. If and only if the server is due to be restarted, the controller generates its own 'nsd -stacks' for troubleshooting purposes. With QoSShutdownNSD=seconds set in the notes.ini, an 'nsd -stacks' is generated every QoSShutdownNSD seconds if the server has not come down cleanly within QoSShutdownNSD seconds. This notes.ini setting is used for troubleshooting servers that are taking too long to shut down.
Controller action server is killed after 5 minutes and restarted server is killed after 10 minutes and restarted server is killed and restarted server is killed and restarted server is killed and restarted server is killed and restarted server is restarted after 5 minutes server is killed after 5 minutes server is killed after 5 minutes and restarted server is killed and restarted Configurable? dcontroller.ini:QOS_PROBE_TI MEOUT=minutes dcontroller.ini:QOS_APPS_TIM EOUT=minutes no no no no no dcontroller.ini:QOS_SHUTDOW N_TIMEOUT=minutes dcontroller.ini:QOS_RESTART_ TIMEOUT=minutes no
Event probe (qosprobe) timeout * long running applications timeout ** server runs out of shared handles server runs out of session tables server runs out of net memory server runs out of shared memory handles server crash/panic while running server takes too long to shutdown ('quit') server takes too long to restart ('restart server') The server process has terminated abnormally
* - timeout indicates that the qosprobe server addin is unable to open the server's names.nsf ($Servers view) successfully within QOS_PROBE_TIMEOUT milliseconds.
54
Release Notes
QoS failover trigger A QoS smart kill can have a server down for up to 20 minutes. Total downtime can include an approximately 5-minute detection of a probe timeout, the running of nsd to collect data on all processes (~3 minutes), the killing of the server(~1-2 minutes), and the restarting (including gating task time - up to 10 minutes). Any new requests designated to process on a server that QoS is set to will immediately fail over to a clustermate within seconds of the moment that QoS detects that the server should be smart killed. Note Since we care about failover only when the server is known to be up, running, and processing, the fast failover feature is not used in the following smart kill scenarios: z server shutdown is taking too long z server restart is taking too long z the server has crashed and QoS needs to clean up after the crash Note You can disable the StaticHang mechanism by using the notes.ini setting QOS_DISABLE_FAILOVER_TRIGGER=1. With this set, the triggerImmediateServerFailover file will still be created and deleted, but the server will not StaticHang to force failover. QoS controller log file You will find a new log file in the Domino server's data directory. The QoS controller log file contains details corresponding to various events as captured or processed by the QoS controller, events relating to QoS probing, hygienic server restart, server crashes, QoS smart kills, and other miscellaneous events. This document will describe this log file, how it works, and how to properly read it when troubleshooting an event in the service. Note You may also want to provide IBM support with the log file if you are troubleshooting a server problem with them.
Log file naming convention

The QoS controller log file name contains a 24 hour timestamp in the format YYYYMMDDHHmm: qoscntrlr201105171528.out This timestamp indicates the time that the QoS controller was started. The above filename would be the QoS controller log for a service start of May 17th, 2011 at 3:28 PM. If the service is stopped and started again, the current qoscntrlrYYYYMMDDHHmm.out file is given the .log extension and a new qoscntrlrYYYYMMDDHHmm.out file is created with the current time. These qoscntrlrYYYYMMDDHHmm.log files are automatically deleted when the service is started if they are older than 14 days.
How to read the log file

At the very beginning of the log file, you will see general configuration information for this logged run of the QoS controller: 2012/08/06 06:33:34 QoS Controller: Starting QOSPipeWatcher 2012/08/06 06:33:34 QoS Controller: QOS_PROBE_TIMEOUT=5 minutes 2012/08/06 06:33:34 QOSController: QOS_SHUTDOWN_TIMEOUT=5 minutes 2012/08/06 06:33:34 QOSController: QOS_RESTART_TIMEOUT=5 minutes 2012/08/06 06:33:34 QOSController: QOS_APPS_TIMEOUT=10 minutes 2012/08/06 06:33:34 QoS Controller: nsd Program Path=/opt/ibm/lotus/notes/latest/linux/nsd.sh 2012/08/06 06:33:34 QoS Controller: QOS_RESTART_LIMIT_MAXIMUM=3 2012/08/06 06:33:34 QoS Controller: QOS_RESTART_LIMIT_PERIOD=30 minutes
55
Release Notes
2012/08/06 06:33:34 QoS Controller: QOS_NOKILL=false 2012/08/06 06:33:34 QoS Controller: QOS_MAIL_TO=test/ibm 2012/08/06 06:33:34 QoS Controller: QOS_MAIL_SMTP_SERVER=xx These items, along with some other basic items, can be configured in the Domino controller ini file ( dcontroller.ini), found in the server's data directory. The rest of the file from this point on contains a log entry for each message sent to the QoS controller by the server or one of its tasks. These messages have the format: 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev ObjectType2=ProcessName ObjectValue2=nserver TimeDate=20120508T001506,95-04 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=SERVER TimeDate=20120508T001507,40-04 2012/05/08 00:15:21 QoS Controller: OpMsg=READY Type=SERVER TimeDate=20120508T001517,92-04 All messages logged to the QoS controller log file have a timestamp. If the QoS controller logs the message, it has the format: TimeDate=20120508T001506,95-04 If one of the QoS controller's other threads logs a message to the log file, it has the format: 2012/05/08 00:15:21 QoS Probe: <message> 2012/05/08 00:15:21 QoS Applications: <message> 2012/05/08 00:15:21 QoS Kill: <message>
What to look for in the log file

This table shows examples of basic logging events you should see when looking at the QoS controller log file. Event Normal server startup Example of what log shows 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev ObjectType2=ProcessName ObjectValue2=nserver TimeDate=20120508T001506,95-04 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=SERVER TimeDate=20120508T001507,40-04 2012/05/08 00:15:10 QoS Applications: Clearing long running apps list 2012/05/08 00:15:21 QoS Controller: OpMsg=READY Type=SERVER TimeDate=20120508T001517,92-04 2012/05/08 00:15:21 QoS Controller: Server is ready to process requests
56
Release Notes
Event Normal server shutdown
QoS probing
Long-running applications
Example of what log shows 2012/05/08 00:45:22 QoS Controller: OpMsg=END Type=SERVER ObjectType=Detail ObjectValue=Quit TimeDate=20120508T004516,01-04 2012/05/08 00:45:22 QoS Controller: Deactivating probe... 2012/05/08 00:45:22 QoS Controller: QoS Probe deactivated. 2012/05/08 00:45:26 QoS Controller: OpMsg=END Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev TimeDate=20120508T004523,51-04 2012/05/08 00:45:27 QoS Applications: Clearing long running apps list 2012/05/08 00:15:21 QoS Controller: Activating probe... 2012/05/08 00:15:21 QoS Controller: QoS Probe activated. 2012/05/08 00:15:21 QoS Probe: Starting qosprobe... 2012/05/08 00:15:25 QoS Probe: OpMsg=START, Type=PROBE 2012/05/08 00:16:25 QoS Probe: The QoS Probe is probing. 2012/05/08 00:16:25 QoS Probe: SUCCESS (156ms) 2012/05/08 00:17:25 QoS Probe: SUCCESS (16ms) 2012/05/08 00:18:25 QoS Probe: SUCCESS (31ms) 2012/05/08 00:19:25 QoS Probe: SUCCESS (16ms) 2012/05/08 00:20:26 QoS Probe: SUCCESS (15ms) 2012/05/08 00:38:32 QoS Controller: OpMsg=START Type=FIXUP ObjectType=DB ObjectValue=C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf TimeDate=20120508T003826,18-04 2012/05/08 00:38:32 QoS Controller: OpMsg=END Type=FIXUP ObjectType=DB ObjectValue=C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf TimeDate=20120508T003829,79-04 2012/05/08 00:38:32 QoS Applications: Adding FIXUP[C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf] to long running apps list 2012/05/08 00:38:32 QoS Applications: Removing FIXUP[C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf] from long running apps list ... 2012/05/08 00:47:42 QoS Controller: OpMsg=START Type=COMPACT ObjectType=DB ObjectValue=events4.nsf TimeDate=20120508T004740,23-04 2012/05/08 00:47:42 QoS Controller: OpMsg=END Type=COMPACT ObjectType=DB ObjectValue=events4.nsf TimeDate=20120508T004740,23-04 2012/05/08 00:47:43 QoS Applications: Adding COMPACT[events4.nsf] to long running apps list 2012/05/08 00:47:43 QoS Applications: Removing COMPACT[events4.nsf] from long running apps list
57
Release Notes
Evidence of a server crash in the log file

The QoS controller monitors and logs crash events to ensure the kill and restart are performed in a reasonable amount of time. To see evidence of this in the QoS controller log, search for the text "=CRASH" in the log file. Here is an example: 2012/05/08 01:00:44 QoS Controller: OpMsg=CRASH Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev TimeDate=20120508T010039,48-04 2012/05/08 01:00:44 QoS Controller: Server CN=rc45/O=dev has crashed. 2012/05/08 01:00:44 QoS Controller: Deactivating probe... 2012/05/08 01:00:44 QoS Controller: QoS Probe deactivated.
Evidence of a smart kill in the log file

The QoS controller is coded to kill the server intelligently based on information it receives from the server or from QoS probing. Here is what a smart kill from an QoS Probe timeout might look like in the QoS controller file: 2012/05/08 00:31:41 QoS Probe: SUCCESS (78ms) 2012/05/08 00:32:41 QoS Probe: SUCCESS (16ms) 2012/05/08 00:37:41 The probe thread has not received a message from qosprobe within the timeout period. 2012/05/08 00:37:41 QoS Probe: The qosprobe addin has timed out, is not responding, or is not running. 2012/05/08 00:37:41 QoS Controller: Deactivating probe... 2012/05/08 00:37:41 QoS Controller: QoS Probe deactivated. 2012/05/08 00:37:43 QoS Controller: OpMsg=TIMEOUT Type=PROBE TimeDate=null 2012/05/08 00:37:43 QoS Controller: The controller has received a probe timeout. 2012/05/08 00:37:43 QoS Kill: Triggering failover... 2012/05/08 00:37:47 QoS Kill: Running nsd... 2012/05/08 00:38:12 QoS Kill: Running nsd -kill 2012/05/08 00:38:16 QoS Kill: Setting kill complete. 2012/05/08 00:38:21 QoS Kill: Restarting DominoStarter thread
OpenSocial component
The OpenSocial component provides social and web features to make third-party processes available directly in the client user's mail. the OpenSocial component supports:
z z z
iNotes Widgets and LiveText OpenSocial 2.0 Gadgets in the sidebar, pop-ups, and anywhere Notes and iNotes previously made widgets available Embedded Experiences in Notes and iNotes
If Notes clients have the OpenSocial features installed, the Domino OpenSocial component configuration is required. The OpenSocial component is deployed and configured on two server components: a Domino mail server, and another Domino server running Shindig, both with Domino 9.0 Social Edition installed. In addition, the Domino mail server supports iNotes and hosts the widgets catalog, and the Domino server running Shindig hosts the credential store application. In this beta release, you can deploy these two components either on a single Domino server or as two separate Domino servers. Clustering of either component is not supported in this beta release.
58
Release Notes
Setting up the Domino mail server for the OpenSocial component Complete the following steps to create the widget catalog application. Important If you already have a widget catalog application, you do not need to create one, but you do need to replace its design from the toolbox.ntf template supplied with the current beta release of Domino 9.0 Social Edition.
Procedure
1. Open the IBM Domino 9.0 Social Edition Administrator client and connect to the server where you want to create the catalog. 2. Click Files. 3. Click File > Applications > New. 4. Select the server (not Local). 5. Enter an application Title -- for example, Widget Catalog. 6. Enter a unique file name. Note You need this file name later, so make note of it. 7. In the Specify Template for New Application section, select your server (not Local). 8. Select Show advanced templates . 9. Select Widget Catalog (9). 10. Verify that the File name field contains toolbox.ntf. 11. Click OK. Configuring the widget catalog application Complete the procedures below to configure ACLs and roles, enable agents, and (optional) to set launch options.
Configuring ACLs and roles in the widget catalog

1. Open the Domino 9.0 Social Edition Administrator client and connect to the server where you created the widget catalog application. 2. Click Files. 3. Select the new application file, right-click and select Access Control/Manage. 4. Select your administrator user and enable all roles. Tip Approving an OpenSocial widget requires at least one manager with the [Admins] role in the ACL of both the widget catalog and the credential store applications. However, if your organization has more than one administrator who approves widgets, a best practice is to create a group with a name of, for example, LocalDomainWidgetCatalogAdmins, and make sure the group has Manager access, plus the [Admins] role, in the ACL of each application. 5. Enable the desired access and roles for all other users.
59
Release Notes
Enabling agents in the widgets catalog Enabling certain agents is required to enable OpenSocial widget functionality.
Before you begin

z
Ensure that you have appropriate rights to enable agents on the Server document, Security tab, Programmability Restrictions section. At minimum, enable the Sign or run restricted LotusScript/Java agents option.
Procedure
1. 2. 3. 4. Open the Widget Catalog in the classic (non-XPages) view. Click View > Agents. If IBM Domino Designer is installed, Designer opens. Select each agent listed in Table: Agents (below) and select Enable. Specify the server on which the widget catalog application is deployed; the agents should all run on the same server.
Table: Agents
Agent CalcDownloads CalcRatings CalcTags CreateStatisticRDoc RmDupRatingR2R PushToCredStore Description Ensures that widget documents display the updated number of user downloads. By default, this agent runs every 5 minutes. Ensures that widget documents display the updated average user rating. By default, this agent runs every 5 minutes. Ensures that widget documents display the updated list of tags created by users. By default, this agent runs every 5 minutes. Ensures that a statistic response document is created for each widget. By default, this agent runs daily. Ensures any duplicate rating response-to-response document from the same user is removed. By default, this agent runs daily. Pushes widget proxy rules and capabilities to the credential store. By default, this agent runs every hour, but runs immediately if you are approving a widget on the master server.
What to do next
After the agents are enabled, during the procedure for configuring the credential store (below), be sure to give yourself the [Admins] role in the ACL of the credential store application (credstore.nsf).
60
Release Notes
Setting launch options for the widget catalog After you have finished configuring the widget catalog application, you can set its launch options to the XPages user interface. In release 9.0 Social Edition, XPages is the preferred user interface for widgets in both Notes and iNotes clients, providing all with the same experience when using the widget catalog. Tip There is no XPages user interface in the catalog application for approving and signing widgets. However, after you change the launch options to those in the procedure above, you and other administrators can still see the classic user interface and have the Review button available for approving and signing widgets. To do so, open the catalog in the Administrator client without the Notes client running. 1. Select the new database, right-click and select Properties. 2. Click the icon for launch options. 3. Under When opened in the Notes client , select Open designated Frameset and select the Toolbox-MainFrameset-XPage frameset.. 4. Under When opened in a browser , select home.xsp as the XPage. For additional details on XPage launch options, see the following technote: Widgets catalog as an XPages application
Setting up the Domino server to run the OpenSocial component and Shindig For complete information on the credential store, see the 9.0 Social Edition focus feature Using a credential store to share credentials.
Creating the credential store application on the server running Shindig

1. Open the server console on the Domino server running Shindig. 2. Enter the command keymgmt create nek nekname where nekname is any name of your choosing, for example, social. 3. Verify that the NEK is created successfully. 4. Enter the command keymgmt create credstore nekname where the nekname value is the same as the nekname value used in Step 2. Result Domino creates a credstore.nsf application in the data\IBM_CredStore directory.
Configuring the credential store application for the OpenSocial component

Before you begin The Domino 9.0 Social Edition Administrator client must have $ENABLE_EE=1 in the notes.ini file. 1. Open the Domino 9.0 Social Edition Administrator client and connect to the server where the credential store application resides. 2. Click Files. 3. Select the credential store application, right-click and select Access Control/Manage. 4. Give Manager access to widget catalog administrators, your server, and the user who enabled the agents in the Widget Catalog. 5. Add the [Admins] role to any administrative users and to the server. 6. Open the widget catalog application as a widget catalog administrator, and open the Administration > Configuration view. 7. Click Configure Credential Store and enter the Server Name and NSF Name for the credential store database. Click OK. Use the complete path for the server name, for example, renovations/sales, or click Browse to select the IBM_Credstore/credstore.nsf application on the desired server..
61
Release Notes
8. Open the credential store application as a widget catalog administrator and open the Configuration view. 9. Click Create encryption key . 10. Click Create new encryption key and click OK.
Creating a configuration settings document for all servers that run Shindig
Before you begin z The Domino 9.0 Social Edition Administrator client must have $ENABLE_EE=1 in the notes.ini file. z The Domino Directory on the servers running Shindig must be using the Domino 9.0 Social Edition pubnames.ntf template. Procedure 1. Open the Domino Administrator client. 2. Select File > Open Server and open the Domino server running Shindig. 3. Click Configuration, and then click Server > Configurations. 4. Click Add Configuration to create a new configuration settings document. 5. On the Basics tab, in the Group or Server name field, enter the name of a server that runs Shindig or the name of a group containing all servers that run Shindig. 6. Click Social Edition. 7. On the Basics tab, complete the fields for the locked domain and unlocked domains based on your deployment topology. Locked and unlocked domains are used if your organization has iNotes clients. z For examples of strings to enter, see the pop-up help on the form. z For more details, see the topic Understanding and configuring locked domains below under Configuring the OpenSocial component for iNotes clients. 8. Set the Shindig server(s) host name field by entering the host name of the server. Important This host name should be the same host name used to register callback URLs for any OAuth 1.0a or OAuth2 services. 9. (Optional) Set the cache fields. These can be left blank to use the defaults. 10. (Optional) On the Advanced tab, configure settings for both shindig.properties and container.js. These settings map directly to settings used in the configuration files of the same name in Apache Shindig. Configuring the OpenSocial component for iNotes clients Several configuration changes are required to support the OpenSocial component features in iNotes.
Configuring server session authentication

1. In the Domino Administrator client, open the Server document for the Domino server running Shindig. 2. On the Internet Protocols > Domino Web Engine tab, in the Session authentication field, select one of the following options for session authentication, specify settings that appear in conjunction with the option, then save the Server document: z Multiple Servers (SSO) - This option is recommended as the best choice if you have both iNotes and Notes clients. z Single Server - This option works only if you have only iNotes clients, and you have one server for both iNotes and Shindig. Note In this beta release, SAML authentication is not yet tested in combination with OpenSocial widgets. For details on these options, see Enabling single sign-on and basic authentication in the Notes and Domino Information center.
62
Release Notes
Configuring automatic updates for widgets As with widgets in Notes, you can use a policy to push widgets to iNotes users automatically.
Procedure
1. Enable these two required notes.ini file settings in the notes.ini file on the mail servers to enable automatic updates for widgets. Note: These notes.ini file settings are server wide settings as opposed to policies. Policies are used per user on every server, but if there is a server that needs to disable EE or Live Text, use these notes.ini file settings to do so. 2. Add the OSGi Tasklet Server (DOTs) server task to the ServerTasks notes.ini file on the server using the ServerTasks= notes.ini file setting. For example, enter ServerTasks=Update,Replica,Router,AMgr,AdminP,CalConn,Sched, HTTP,LDAP,RnRMgr,DOTS This starts DOTs automatically when the server starts.
Table: NOTES.INI settings related to iNotes clients

Parameter Acceptable Values iNotes_WA_Widgets_AutoUpdate_Group Name of a Domino group Default Value = N/A iNotes_WA_Widgets_AutoUpdate_Min -ORiNotes_WA_Widgets_AutoUpdate_Day A number Default Value = 0 Sets a directory group name that is used during Widgets automatic update; all members of the group have auto update run for them. The interval for Widgets automatic update. Default is 0 (never runs). iNotes_WA_Widgets_ AutoUpdate_Day=1 is recommended. Description
63
Release Notes
Configuring policies for the OpenSocial component You can use an existing policy or create new policy and settings documents for OpenSocial component users. The policy for iNotes can overlap and share the same settings documents used by the Notes OpenSocial component configuration. For more information about configuring Widgets with a policy, see Controlling Widgets and Live Text access using Domino policy.
About this task

z z z
The administration process (AdminP) runs every 12 hours to push these policies to iNotes users. AdminP runs on the home mail servers for each user. To force the push, from the Domino server console, enter the command tell adminp process mail on each home mail server. You can also use the notes.ini file setting ADMINP_POLL_INTERVAL=<time in minutes> to process mail policy at intervals other than the default 12 hours. Note: This notes.ini setting processes every mail file on your system and can take a long time. Keep this in mind when setting the interval. See Domino Policy FAQ for more information.
Before you begin This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 set in the notes.ini file. z The Domino Directory for the domain refreshed from the Domino 9.0 Social Edition pubnames.ntf template. Important While no specific mail settings are required for the OpenSocial component for iNotes, a mail settings document must exist in any policy that is configured for the Domino OpenSocial component to ensure that certain profile notes are populated as part of mail processing for the administration process. Procedure 1. In the Desktop policy settings document, click Widgets. 2. In the Widget catalog application name field, enter the widget catalog application name. 3. In the Widget catalog server field, enter the name of the server on which the Widget Catalog application resides. 4. In the Gadget Server URL field, enter the URL for the Domino server running Shindig. Use the format http://server name:port/fiesta . For example, enter http://shindig.renovations.com:80/fiesta 5. Specify any of the other following settings for widgets, all supported for iNotes clients: z Widget catalog categories to install z Show the My Widgets panel in the sidebar z Enable Live Text z Enable default recognizers z Restrict provider IDs for installation/execution and Enable provider IDs for installation/execution z Restrict extension point IDs for installation/execution and Enable extension point IDs for installation/execution z Install widgets from catalog 6. Save the Desktop settings document 7. In the Security policy settings document, click Proxies. 8. Click Edit list.
64
Release Notes
9. Complete these fields: z In the Context field, enter /xsp/proxy/BasicProxy/ z In the URL field, enter the URL to the server that runs Shindig. This value should match the URL provided in the Gadget Server URL field on the Widgets tab of the Desktop policy settings document. z In the Actions field, enter GET,POST z In the Cookies field, enter DomAuthSessId,LtpaToken,LtpaToken2 z In the Mime-types field, enter * z In the Headers field, enter * 10. Click Add/Modify Value. 11. Click OK. 12. Save the Security settings document. Understanding and configuring locked domains Domain locking is a security feature that isolates and protects OpenSocial widgets from third-party sources that might try to cause harm to other widgets, the browser, or your application. Locked domains are essential for products such as Domino 9.0 Social Edition and iNotes 9.0 Social Edition that allow users to add or render widgets from third-party sources. Malicious content can often try to take advantage of a user's authenticated session to extract server data, modify other widgets on the page, or attack web services that have been authenticated and authorized through Open Authorization (OAuth). Locked domains prevent these security risks by sandboxing widgets into individual subdomains that cannot be penetrated by third-party sources or other widgets on the page. Locked domains prevent widgets from having direct access to secure information in the browser and in other widgets on the page, including JavaScript and cookies. Even with a proxy, a piece of malicious or hacked JavaScript code that is loaded in the browser without locked domains can gain access to all of a user's single sign-on (SSO) cookies via the window.cookies object. Even though SSO cookies time out after a set expiration time, the malicious code can still obtain blanket access to the enterprise for a given interval of time. Therefore, in iNotes 9.0 Social Edition, it is strongly recommended that you configure locked domains and never disable them.
What are some common deployment scenarios?

The main factor that determines your deployment scenario is how and from where your OpenSocial widgets receive data. If they receive data only from within the enterprise firewall (intranet), your configuration set up will differ from set ups for widgets that receive data from outside the company. You may need to register your domain externally with a trusted domain name registrar.
How do I configure locked domains?

The steps required for configuring locked domains depend on your deployment. However, all deployments share some common prerequisites.
65
Release Notes
Configuring host domains

Setting up host domains is a required prerequisite for locked domains, regardless of your deployment. In Domino 9.0 Social Edition you set up host and locked domains on the Social Edition tab of the server Configuration Settings document in the Domino Directory.
A locked domain implementation consists of three separate domains: z A single sign-on (SSO) domain. z An unlocked container domain for your host application, that is, iNotes. This unlocked domain can be part of the SSO domain, but ideally the two domains should be separate so that cookies such as SSO tokens are not unintentionally carried along with content requests. z Locked hosts that are derived specifically for each widget. Widgets run in individual subdomains of the locked host to prevent widgets from sharing data among themselves. The unlocked domain handles initial calls such as proxy requests and has a specific host name, for example unlocked.renovations.com. The locked host name used for widgets is derived by computing a hash of the widget URLs and pre-pending that hash to a locked domain name suffix such as -locked.gadgets.com. The locked domain suffix must be a separate top-level domain (TLD) that is separate from the container (host application) and SSO domains. Note When selecting the unlocked host and locked domain suffix, consider the domain scope of authentication cookies that might be used. Ideally, widgets should not have access to the authentication cookies. To re-associate Open Authorization (OAuth) tokens with the locked gadget, the container uses an encrypted string called the security token. Similar to SSO tokens such as Lightweight Third-Party Authentication (LTPA), the security token has a relatively short life span to ensure that access is not granted indefinitely if a widget is hacked. SSO tokens do not flow directly to the widget, even if the security token is compromised, so the widget can only access resources that it is authorized to access via the proxy.
66
Release Notes
Configuring a wildcard DNS server

Setting up a wildcard Domain Name System (DNS) server for your locked widget domains is another required prerequisite, regardless of your deployment. Configure your DNS server for wildcard hosting so that requests from your widget subdomains can be processed through a single web server.
z z
For details about setting up the wildcard DNS server, see the following resources: http://www.zytrax.com/books/dns/ch9/subdomain.html http://www.debian-administration.org/articles/358
Configuring the OpenSocial component for Notes clients You can configure the OpenSocial component to support Notes clients using a managed account and policy settings. You must also configure session authentication.
Configuring server session authentication

1. In the Domino Administrator client, open the Server document for the Domino server running Shindig. 2. On the Internet Protocols > Domino Web Engine tab, in the Session authentication field, select Multiple Servers (SSO) . 3. Specify settings that appear in conjunction with the option, then save the Server document: For details on these options, see Enabling single sign-on and basic authentication in the Notes and Domino Information center.
Configuring a managed account

The OpenSocial component uses the Accounts framework to manage security between the Notes client and the Domino server running Shindig. Open the Domino Directory (names.nsf) for the domain. Select People > Policies > Accounts. Click Add Account. Complete the Account settings. Note: Unless otherwise specified, you can keep the defaults. 5. Click Basics, and complete these fields: z Account name: A descriptive name. This will appear in the Accounts preferences user interface in Notes. z Account description : A description of the account, for example, Manages SSO between the Notes client and the Domino Server running Shindig. z Account type: Other z Account server name : http://Domino Server running Shindig host name /fiesta/container z Protocol: HTTP z Use Domino single sign -on if available: Enabled z Domino single sign-on server: Domino Server running Shindig host name (no protocol) z Allow other accounts to use this log in information : Disabled 1. 2. 3. 4.
67
Release Notes
6. Click Advanced, and complete these fields. Note None of these options should be set to Editable. z Authentication Type : DOMINO-SSO z Enforce SSL: Yes z Enforce trusted sites : Yes 7. On the Advanced tab, click Edit list, and then enter PreferredUsernameField=fullname 8. Save the account document.
Configuring a Desktop settings policy document You can use an existing policy or create new policy and settings documents for OpenSocial component users. The policy can overlap and share the same settings documents as those used by iNotes SE Configuration.
Before you begin
This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 in the notes.ini file. z The Domino Directory for the domain refreshed from the 9.0 Social Edition pubnames.ntf template
Procedure
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Create a Desktop settings policy document or modify an existing document. Click Widgets. In the Widget catalog application name field, enter the widget catalog application name. In the Widget catalog server field, enter the name of the server on which the widget catalog application resides. In the Gadget Server URL field, enter the URL for the Domino server running Shindig. Use the format http://server name:port/fiesta . For example, enter http://shindig.renovations.com:80/fiesta Click the Custom Settings tab. Add ENABLE_EE=1 and $ENABLE_EE=1 to the list of notes.ini settings. Click the Accounts tab. Click Update Links. In the Accounts dialog box, select Selected supported . Click OK. In the Select accounts to push dialog box, select the account created above in the Configuring a managed account procedure. Click OK. The account appears in the Account Links section. Save the Desktop settings document
Configuring a Security settings policy document to establish trust
Before you begin
This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 and ENABLE_EE=1 in the notes.ini file. 1. On the Domino server running Shindig, create a new Security settings policy document or modify an existing one. 2. Select the Execution Control List tab. 3. Click Edit. (Next to Admin ECL) 4. In the ECL list section, specify an administrator who approves widgets. Tip The ECL does not support use of a group such as LocalDomainWidgetCatalogAdmins. You can try using a shared administration ID. 5. Ensure that Ability to configure widget capabilities is enabled for the administrator or group of administrators.
68
Release Notes
Approving a widget created from an OpenSocial gadget Any time after a client user has added a widget to the catalog, the Domino administrator must follow an approval process to review, approve, and make the widget available as an embedded experience to client users. OpenSocial gadgets that provide client users with embedded experiences in Domino 9.0 Social Edition must be approved like any other widgets, but require some additional configuration. Note An OpenSocial gadget configured in a widget document in Domino is referred to as an OpenSocial widget.
Overview
During the approval process, you will configure: z Proxy settings - required z OAuth client consumer information (keys and secrets) - required only if a gadget needs them z IP filter(s) - optional z Metadata - optional The process completes when you sign the approval document, After approval, you must also establish trust for an OpenSocial widget.
About proxy settings

Proxy settings for each OpenSocial widget are specified in the Configuration Proxy dialog box on both the Gadget Proxy and Content Proxy tabs. You can specify as many proxies as you need for resources that will be accessed by the OpenSocial widget you are approving. The proxies function as a whitelist that specifies the appropriate security settings for all such resources, allowing client users to access seamlessly everything needed for full functionality of the widget. Tip If you do not know whether the OpenSocial widget you are approving accesses any resources that will require proxies, check with the original provider of the gadget that was used to create the OpenSocial widget. You may provide definitions on the Gadget Proxy tab for: z The widget location. z GET action only, default headers, no additional cookies. z The URLs need settings for the OAuth Token flows. z If OAuth 1.0a is used, Request Token and Access Token URLs with action = GET and Authorization together with the default as headers. z If OAuth 2.0 is used, Access Token URL with action = POST, and client_id, client_secret together with default as headers. z URLs accessed using OAuth-enabled requests z Actions as needed, authorization, together with default for headers, and other headers and cookies as needed. z Other URLs accessed without OAuth z Actions, headers, and cookies as needed You provide definitions on the Content Proxy tab for resources that include static content, such as javascript files, images, or HTML content. Tip When you define proxy settings, define the narrowest scope that allows the OpenSocial widget to function to its fullest capability. While you can configure a proxy setting with * as the destination URL, you should avoid this practice because it may allow the server to be used for unauthorized activities.
69
Release Notes
The administrator initiates the approval process for an OpenSocial gadget from a widget document in the widget catalog. When the approval process is complete, the administrator can return to the widget document, and select Edit Proxy Data to adjust the configured proxy, OAuth, or other settings as needed. On the Notes client, OpenSocial widgets are rendered from a local gadget server using the proxy settings defined in the widget catalog application that is replicated to the Notes client. iNotes users can open widgets from the Domino server running Shindig. This Domino server uses proxy rules (settings) contained within the credential store. Proxy settings configured using the widget catalog application are pushed by the PushProxy agent to the credential store. OAuth-enabled widgets are always rendered on a Domino server running Shindig; never from the gadget server on the Notes client. At runtime, the URL contained in the request made by a gadget is compared against each of the URLs listed as proxies for the OpenSocial widget. When a match is found, the specified actions, headers, cookies, and MIME type restrictions are applied to the request.
About IP filters
The IP Filters consist of Allow and Deny Filters. The Deny filters are applied to the address, then the Allow filters are applied. The typical pattern for Allow filters is to deny a wide range of addresses, and then to allow only a specific server. There is no benefit to defining Allow filters without defining a Deny filter.
About OAuth configuration
If an OpenSocial widget requests OAuth-enabled services, during the approval process the administrator can use a Configure OAuth Consumer Information dialog box to specify values appropriate to the type of OAuth service the gadget is requesting. The fields in the dialog box differ according to whether the widget is requesting OAuth 1.0a or OAuth 2.0 authentication flows. You can complete fields in this document with information received from the OAuth provider. If all of the OAuth information is not immediately available, save the dialog box with the information you have. You can modify the information later by selecting the Edit OAuth Data action from the widget document. The Consumer Key and Secret are stored as encrypted items in the Consumer Key document in the credential store. When editing the widget document, the original values cannot be retrieved for display. If the widget document is saved without entering additional content in those fields, the original values are used. If new content is entered in those fields, the new content is encrypted and stored back in the Consumer Key document.
Before you begin
The administrator must have appropriate access to the widget catalog application, including being part of the [Admins] role, in order to approve widgets. Tip You can see which widgets have been reviewed and approved in the Administration > All Widgets by Approval view.
70
Release Notes
Procedure
1. In the widget catalog application, select the Administration > Configuration view. 2. Edit the widget document for the OpenSocial gadget that needs to be approved. Note The widget approval status shown in the widget document is Review Needed. 3. Click Review. A new Security section in the widget document is populated. Note The widget approval status shown in the widget document becomes Approval Needed. 4. If there is security data to approve, review the information. 5. If the widget should be approved, click Approve. The Configure Proxy dialog box opens. Note The Gadget URL field value is pre-filled from information in the extension.xml file in the widget document. 6. Complete the proxy settings on both the Gadget Proxy (determines what endpoints an OpenSocial Widget can use with Shindig's proxy) and Content Proxy (specifies data that may be fetched anonymously from OpenSocial widgets) tabs. The fields and details on their settings are listed below this procedure in Table: Fields in the Configure Proxy dialog box - Proxy Settings
section.
Note The Content Proxy settings apply to resources that the gadget requests, such as CSS and JavaScript, as well as any resources retrieved using the gadgets.io.getProxyUrl() OpenSocial API. (Optional) Under IP filter, specify values in the Allow list and Deny list fields as needed. Represent filter values as IPv4 addresses: z Fully qualified domain name, no wildcards. z IP address and subnet mask, 9.6.1.0/255.255.0.0, no wildcards are permitted. Both sides of the subnet must be valid ip(v4) addresses. z IP address with wildcards for specific address components only, for example, 9.6.*.*, but * by itself is not permitted. When you have specified all initial proxy settings (you can modify them later), click OK in the Configure Proxy dialog box. If the OpenSocial gadget uses OAuth, a version of the Configure OAuth Consumer Information dialog box specific to the gadget's release of OAuth opens. For information on the fields and details on their settings, see the Table: Fields in the Configure OAuth Consumer Information dialog box below this procedure. Note It is strongly recommended that you use secure https URLs in any fields where you enter URLs. When you have specified any necessary OAuth settings (you can modify them later), click OK in the Configure OAuth Consumer Information dialog box. Sign and save the widget document., Note The approval status in the widget document becomes Approved.
7.
8. 9.
10. 11.
71
Release Notes
Table: Fields in the Configure Proxy dialog box - Proxy Settings section
Field URL Note This value is required Description The URL pattern for the proxy. The URL can include the wildcard character *, but only in its last path component. For example, the URL may contain http://www.example.com/images/*. However, http://www.example.com/*/images is not valid. For example, this URL http://www.example.com/foobar/test/* is valid and matches http://www.example.com/foobar/test/test.jsp, or http://www.example.com/foobar/test/someOtherstuff. A proxy URL such as http://www.example.com/foobar/test* is not the same, and is not likely to match any target URLs. The URL may contain only the wildcard character. At runtime, the URL contained in the request made by the gadget is compared against each of the different proxy URLs for the gadget. When a match is found, the Actions, Headers, Cookies, and MIME type restrictions are applied to the request. Select one or more of these actions: GET, POST, PUT, DELETE, HEAD. Any action entered here is permitted for any request matching the URL. By default, no actions are permitted. Defines the headers that can to be added to a request made from the gadget server. Headers are values sent by a request to a server indicating how the request should be treated and how the response should be returned. The HTTP specification defines a number of headers as a standard. Applications can add additional headers to the request. A gadget's request can include additional headers to be set. However, if those additional headers are not permitted by the proxy setting, then the headers are not allowed. If a request depends on additional headers, those headers must be defined. Use commas to separate individual entries in a list of headers. Follow the Internet specification for header names. Header names may contain a wildcard character (*) to match parts of names. For example, if the header name is MyH*, then both MyHeader and MyHome are permitted. If nothing is specified, the default set of headers containing Cache-Control, Pragma, User-Agent, Accept*, Content* is used. If an additional header is required, the header list must contain the desired default headers, as well as the required additional header. For example, to add client_secret to the list of headers, the field would contain Cache-Control, Pragma, User-Agent, Accept*, Content*,client_secret. If the wildcard * is specified, all headers are permitted. To prevent any headers from being sent, add a single header name to the field, and do not include any default headers. For example, specify No_Headers to prevent all headers from being sent. Note The Set-Cookie header is handled separately using the Cookies field, and should not be specified in the Headers field. Cookies are informational elements that transfer data between client and server. Gadget requests may contain cookie values that they desire to set. The Cookies field defines the set of cookies allowed to be passed through the server. Use commas to separate multiple cookie names. Specify the full cookie name. No wildcard characters are permitted. Set limitations on the request/response style specified with this field. Use commas to separate multiple values. The wildcard character (*) is permitted in the MIME types. An empty value, or a value of * permits all MIME types to be used.
Actions Note This value is required Headers
Cookies
MIME types
72
Release Notes
Table: Fields in the Configure OAuth Consumer Information dialog box (1.0A)
Field Application Id Service Name OAuth Request Token URI Description URL to the OpenSocial widget's XML file. Domino supplies the value in this field. Domino supplies the value in this field. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. The signature style used when generating requests to a specific resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
OAuth Access Token URI
*Consumer Key**
*Signature Method
*Consumer Secret**
73
Release Notes
Table: Fields in the Configure OAuth Consumer Information dialog box (2.0)
Field Application Id Service Name AllowModuleOverrides Description URL to the OpenSocial widget's XML file. Domino supplies the value in this field. Domino supplies the value in this field. True (default) or False Indicates whether or not URLs specified in the widget XML can be used. A value of true allows widget XML URLs to be used. A value of false will use only the URLs supplied from the database document. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
OAuth Authorization URL
OAuth Request Token URI
OAuth Access Token URI
*Consumer Key**
*Consumer Secret**
Client Type Grant Type ClientAuthorization Type
74
Release Notes
Field UseAuthorizationHeader
Description True (default) or False Indicates whether or not to include OAuth2 protocol content items as headers. At least one of the fields UseAuthorizationHeader or UseUrlParameter should be set to true. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. False (default) or True Indicates whether or not to include OAuth2 protocol content items as URL parameters. At least one of the fields UseAuthorizationHeader or UseUrlParameter should be set to true. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. False (default) or True Indicates whether or not an access token from a resource provider that matches the service name and consumer key can be used for multiple gadgets. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
UseUrlParameter
SharedTokens
What to do next
widget trust for Notes client users.
Unless the widget is meant for use only by iNotes client users, follow the procedure below: Verifying
component for Notes clients > Configuring a Security settings policy document to establish trust.
Verifying widget trust for Notes client users If an approved OpenSocial widget will be used by Notes client users, those users must have trust established for the signer of the widget. You establish this trust by including any administrators who approve (sign) widgets in the ECL specified in a Security settings policy on the Domino server running Shindig. Make sure that you have followed the procedure above under Configuring the OpenSocial You can verify that the correct ECL settings are being applied by logging into Notes as a (test) user for whom you are planning to render an embedded experience.
Procedure
1. 2. 3. 4.
Open the Notes client (Notes 9.0 Social Edition) as the test user. Select File > Security > User Security and enter the user's password. Select What Others Can Do > Using Workstation. Under When code is signed by , check for the name(s) of administrators whom you specified in the ECL in the Security settings policy are in the list, and make sure that the check box Configure widget capabilities is enabled for any such administrator. Note This Configure widget capabilities check box appears if the following setting is specified in the client user's note.ini file: $ENABLE_EE=1
75
Release Notes
Editing an approved widget Any changes made to the widget document, for example, changing platform, description, or title, result in the document's no longer being approved. When you make changes to the widget document, you need to re-approve the document. In addition, edited proxy settings will not be applied for Notes client users until the widget catalog application replicates. Modifying proxy settings after approval The Configure Proxy dialog box displays the OpenSocial widget with which proxy settings are associated. The right side of the page displays a list of the defined proxies for the widget.
If changes are required to the proxy settings, open the widget document, then select Edit Proxy Data to review and update the proxy settings. These procedures work regardless of whether the proxy settings are listed on the Gadget Proxy or Content Proxy tab.
To add settings for a proxy
1. Specify the URL, Actions, Headers, Cookies, and MIME types. 2. Click Save. Settings are added to the list on the right. If the URL is changed, a new proxy is added to the list using the new URL, and the proxy using the original URL is still listed. Tip Save acts like a Save As.
To edit settings for a proxy
1. From the list of proxies on the right, select the proxy whose settings you want to edit. 2. Click Edit. The fields are populated with the existing values for the proxy; edit them as desired. 3. Click Save. If the URL is changed, a new proxy is added to the list using the new URL, and the proxy using the original URL is still listed. Tip Save acts like a Save As. 1. From the list , select the proxy whose settings you want to remove. 2. Click Remove.
To remove a proxy
To remove all settings for all proxies

Click Remove all.
76
Release Notes
Removing approval for a widget If a widget document is approved and later is not needed, complete these steps: 1. Edit the widget document. 2. Expand the Security Section. 3. Click Remove. The security state reverts to Approval Needed. Modifying OAuth data after approval During the approval process, the approver is prompted to approve the OAuth client consumer information if a gadget includes it. If changes to the OAuth client consumer information are required, open the widget document, and select Edit OAuth Data to review and update the proxy settings in the Configure OAuth Consumer Information dialog box. Troubleshooting
Errors
z
If the gadgets request is completely rejected, for example, if the requested URL is not permitted, then this is typically treated internal to the server as an HTTP response code 403. This may display in different ways depending on the actual request. Proxy-rejected requests that return a 403 response code are cached for the negative cache TTL. The default is 5 minutes, unless the gadget is making a specific refresh interval designation. Even if proxy settings are corrected, the server may still use a previously cached response. To determine the proxy settings used for a request, enable trace at level CONFIG for the logger com.ibm.fiesta.commons.internal.ProxiedHttpFetcher
The trace messages generated by this logger will look as follows: Mapping: http://www.example.com:80//gadgets/testgadget.xml URL: http://www.example.com/commerce/query From this message, you can determine that the gadget making the request is http://www.example.com:80//gadgets/testgadget.xml and the target resource is http://www.example.com/commerce/query. If the target resource is not covered by the policies defined for the gadget, then an update may be required. Two other mappings that may also appear are /anonymous and /Internal. The /anonymous mapping is used for the content proxy requests, and shows the target resource. If the target resource is not being retrieved, then a change to the Content Proxy settings in the Configure Proxy dialog box may be required. The /Internal mapping is used for some requests that the gadget server initiates to performs its tasks. You cannot edit the /Internal mapping.
z
To assist in identifying where a proxy request is being rejected, or where headers or cookies are not being sent with a particular request, enable these loggers at the FINER level to obtain more detail: com.ibm.mashups.proxy.connection.HttpURLConnectionFilter com.ibm.mm.proxy.connection.filter.RequestHeaderValidationFilter com.ibm.mm.proxy.connection.filter.CookieFilter
77
Release Notes
Server configuration issues

If you change proxy settings, there can be a delay before they are applied. For the gadget server on the Notes client, the proxy settings are updated when the widget catalog application configured in the Notes client user's preferences is replicated. For the gadget server on Domino, the settings must be pushed from the widget catalog application to the credential store application according to the schedule for the PushToCredStore agent. The PushToCredStore agent is usually configured to run on document updates. The gadget server reads the proxy configuration documents when the proxy is first needed. By default, the proxy configuration documents are checked for updates every 60 minutes. You can change this interval by specifying the SocialProxyRefreshInterval in the notes.ini file of the Domino server. If an immediate update is needed on the server, you can immediately refresh the proxy settings using this Domino console command: tell http osgi social refresh proxy
OAuth issues
OAuth documents are stored in the credential store on the Domino server. At runtime, any consumer and token documents are cached for increased performance. Changes made to existing OAuth client consumer documents may not take effect until the server is aware of changes. By default, the server checks for updates every 60 minutes. You can modify the interval using the SocialOAuthRefreshInterval setting in the notes.ini file of the Domino server. If an immediate update is needed on the server, you can refresh the OAuth client documents using this Domino console command tell http osgi social refresh oauthconsumers
Proxy metadata
The mashup maker proxy used by the Shindig server may need additional configuration of metadata in some cases. You can configure metadata to specify general proxy configuration properties. Tip For more information on properties, and on forwarding HTTP error codes to the client, see this wiki article:
Advanced configuration
Procedure 1. In the widget catalog application, select the Administration > Configuration view. 2. Select the Configure Meta-data action and apply settings listed in the following tables as needed:
Table: Metadata to configure the proxy to make a connection through a boundary (pass through) proxy and Table: Metadata to control how outbound connections are used.
78
Release Notes
Table: Metadata to configure the proxy to make a connection through a boundary (pass through) proxy
Metadata setting passthru_host passthru_port passthru_ntlm_domain passthru_realm Description The host name of the pass through proxy. The port of the pass through proxy. The NT LAN Manager (NTLM) Windows domain and user of the boundary proxy in order to authenticate the user against an NTLM domain. Optional. If a user name and password are needed for the proxy, specify the proxy realm so that the credentials are not sent to any proxy. If you do not specify a realm, any realm is accepted and used for the proxy. Optional. The user name for the proxy. Optional. The password for the proxy. Optional. Indicates which hosts should be connected directly and not through the passthru-proxy. The value can be a list of hosts, each separated by a | character. A wildcard character (*) can be used for matching, for example locahost|*.local.
passthru_username passthru_password passthru_nonProxyHosts
Table: Metadata to control how outbound connections are used

Setting socket-timeout Description The default socket timeout in milliseconds. The socket timeout defines the length of time the proxy server waits for data after successfully establishing a connection with the target server. The default value is 30,000 milliseconds (30 seconds). A timeout value of zero is interpreted as an infinite timeout. The number of retries to be performed if the proxy could not establish a connection with the target server. The default value is two retries. The number of HTTP connections the proxy can open to connect to a specific host. The default value is 10 connections per host. The maximum number of HTTP connections that the proxy can open to connect to arbitrary target hosts. The default value is 200 connections. If this parameter is set to true, the proxy connects to any HTTPS URL allowed by the proxy, regardless of whether or not it trusts the specified host. The default and recommended setting is false.
retries max-connections-per-host max-total-connections unsigned_ssl_certificate_support
79
Release Notes
Server NOTES.INI parameters to enable widgets , embedded experiences , live text, and OpenSocial features You can use the following parameters in the NOTES.INI file on the Domino server. These notes.ini file settings are server wide settings, whereas policies are used per user on every server. If you need to disable embedded experience or live text on a server, uses these notes.ini file settings. Note These settings have no effect on the Notes or iNotes client unless the Domino OpenSocial component is installed.
Parameter Acceptable Values 0|1 Default Value 0 Description Set to 1 to enable embedded experiences in iNotes. Set to 1 to enable live text in iNotes. Set to 1 to enable widgets in iNotes. If iNotes_WA_Widgets is disabled, embedded experiences, live text, and OpenSocial are all disabled (regardless of other settings) because widgets is the core of all of those features. iNotes_WA_OpenSocial0|1 0 Set to 1 to enable OpenSocial Widgets in iNotes. If iNotes_WA_OpenSocial is disabled, embedded experiences is disabled (regardless of the embedded experiences setting) because embedded experiences uses OpenSocial widgets.
Related to iNotes clients

iNotes_WA_EnableEE
iNotes_WA_LiveText iNotes_WA_Widgets
0|1
Name of a Domino group N/A
Related to OAuth protocol use in Notes and iNotes clients

SocialOAuth2ClientCaA number > 0 cheSize SocialOAuth2TokenCacA number > 0 heSize SocialOAuth2AccessorA number > 0 CacheSize 20 1000 100 Sets the size (number of objects) of the least recently used cache of OAuth2 client information. Sets the size (number of objects) of the least recently used cache of OAuth2 tokens. Sets the size (number of objects) of the least recently used cache of OAuth2 accessor objects. These objects are used for in-progress OAuth authentication processes. Sets the size (number of objects) of the least recently used cache of OAuth 1.0a client information. Sets the size (number of objects) of the least recently used cache of OAuth 1.0a tokens.
SocialOAuth10aClientA number > 0 CacheSize SocialOAuth10aTokenCA number > 0 acheSize
20 1000
80
Release Notes
Related to gadgets
SocialCapabilitiesReA number > 0 freshInterval 60 Interval in minutes at which to check for updates to gadget capabilities in order to refresh the cached information; 0 or less disables the refresh check. Interval in minutes at which to check for updates to OAuth client information; 0 or fewer disables the refresh check. Interval in minutes at which to check for updates to proxy configuration rules; 0 or fewer disables the refresh check.
SocialOAuthRefreshInA number > 0 terval
60
SocialProxyRefreshInA number > 0 terval
60
Using a credential store to share credentials

In this beta release, the on-premises Domino server can use a credential store application ( credstore.nsf). The credential store is a secure repository for document encryption keys and other tokens necessary for Notes and iNotes client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts. Note In combination with OpenSocial component configuration and deployment, a credential store allows Domino to support embedded-experience applications designed using the OpenSocial 2.0 standard and the Apache Shindig container.
About this task

If your Notes or iNotes client users run the OpenSocial component, a credential store provides the following benefits:
z z
iNotes users accessing their mail are protected from cross-site referral forgeries across a cluster. Notes users can authorize a Domino server application to access their resource data on an OAuth-compliant Web site without additional password prompts.
In addition, you can centrally store OAuth consumer keys and secret information without requiring any insecure distribution of document encryption keys. After you have created the credential store, you use it to store centrally the consumer key and secret that you create whenever you configure a Domino server application to access the Web using the OAuth protocol, as well as the access token generated when Notes or iNotes user authorizes the Domino application for access to his or her data on an OAuth-compliant Web site.
81
Release Notes
Creating the credential store application on a single Domino server You use Keymgmt commands at the Domino server console to set up the credential store application ( credstore.nsf).
About this task

Setting up the application includes the following tasks:
z z z z
creating the document encryption key in the Domino server's ID file creating the credential store application and assigning the document encryption key to it assigning the document encryption key to the credential store checking whether the store exists and includes the document encryption key
The console commands create the application from the websecuritystore.ntf template. Restriction: Do not use this template to create the database manually.
Procedure
1. At the Domino server console, use the keymgmt create nek command to create the document encryption key in the Domino server ID file. For syntax and examples, see the related topics. 2. Check the server console log and make sure you see the following message: NEK credstorekey created successfully 3. Make note of the displayed fingerprint for the key. 4. Use the keymgmt create credstore command to create the credential store application. and assign the document encryption key. 5. Make sure the displayed fingerprint matches the one you made note of in the previous step. 6. Make sure the Domino server \data directory now has a directory \IBM_CredStore. 7. Make sure credstore.nsf exists in the directory.
82
Release Notes
Creating the credential store application in a cluster You use Keymgmt commands at the Domino server console to set up the credential store application ( credstore.nsf). When the application is used in a cluster, you also create replicas of it on each server.
About this task

Setting up the application includes the following tasks:
z z
creating the document encryption key in the Domino server's ID file exporting the document encryption key and importing it into the ID files of the other servers in the cluster creating the credential store application and assigning the document encryption key to it checking whether the credential store exists and includes the document encryption key creating replicas of the credential store on each server in the cluster
z z z
The console commands create the application from the websecuritystore.ntf template. Restriction: Do not use this template to create the database manually. You perform all of the following steps at the Domino server console, and you can check the key fingerprints displayed either in the console itself or in the server console log.
Procedure
1. At the server console for the first Domino server in the cluster, use the keymgmt create nek command to create the document encryption key in the Domino server ID file. For syntax and examples, see the related topics. 2. Take note of the displayed fingerprint for the key, and make sure you see the message: NEK credstorekey created successfully. 3. Use the keymgmt export nek command to create a local file that contains the key. For syntax and examples, see the related topics. 4. Make sure the displayed fingerprint matches the one you made note of in the previous step, and make sure you see the message: NEK credstorekey exported successfully. 5. Copy the key file to all servers in the cluster. 6. At the console on each of the other servers, use the keymgmt import nek command to import the document encryption key from the file you created into the ID file of each server. For syntax and examples, see the related topics. 7. Make sure the displayed fingerprint matches the one you made note of in the previous steps, and make sure you see the message: NEK credstorekey imported successfully. 8. Back on the original server, use the keymgmt create credstore command to create the credential store application and to assign the document encryption key. For syntax and examples, see the related topics. 9. Make sure the displayed fingerprint matches the one you made note of in the previous steps.
83
Release Notes
10. Make sure the Domino server \data directory now has a directory \IBM_CredStore. 11. Make sure credstore.nsf exists in the directory. 12. Create replicas of the credstore.nsf in a \data\IBM_CredStore directory on the rest of the servers in the cluster.
Moving the credential store application When you move or decommission a server that includes a credential store application (credstore.nsf ), be sure to manage the movement of the credential store so that it functions properly after the change. Moving the credential store application requires different steps depending on whether the servers are in a cluster or not, and whether a server is being decommissioned. You perform all of the steps for moving a credential store at the Domino server console, and you can check the key fingerprints displayed either in the console itself or in the server console log. For syntax and examples on the Keymgmt commands, see the related topics.
Moving the credential store in and out of clusters

Procedure 1. Do one of the following:
2. If you are moving a non-clustered server to a new cluster, and the moved server will become the first server in the cluster, follow these steps to move the credential store from the non-clustered server: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the new cluster name, and restart the server.
d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store application with the copied credential store data from the file you created in step 1 3. If you are moving a non-clustered server to an existing cluster that already has a credential store, follow these steps to move the credential store from the non-clustered server: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the name of the existing cluster, and restart the server. d. Use the keymgmt create command to create a new credential store application. e. At another server in the existing cluster, use the keymgmt export and keymgmt import commands to examine the document encryption key in the server ID file. f. On the server you are moving, create a replica of the credential store application from the
84
Release Notes
server where you confirmed the server ID file contains the correct document encryption key. g. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1. 4. If you are moving a server that already has a credential store out of a cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to remove the server from the cluster, and restart the server. d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1. 5. If you are moving a clustered server to a new cluster, and the moved server will become the first server in the new cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the new cluster name, and restart the server.
d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store application with the copied credential store data from the file you created in step 1 6. If you are moving a clustered server to a different existing cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to remove the server from its original cluster, and restart the server. d. On the server you are moving, create a replica of the credential store application from another server in the target cluster where you have confirmed the server ID file contains the correct document encryption key. e. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1.
85
Release Notes
Moving the credential store from a decommissioned server
About this task

Follow this procedure when you want to decommission a server and move an existing credential store application from the server being decommissioned to another (target) server.
Procedure
1. Use the keymgmt export command to copy the credential store data to a file. 2. If the server to which you are moving the credential store application (the target) is not clustered, use the keymgmt create command on the target server to create a new credential store application. 3. Use the keymgmt import command to populate the credential store application on the target server with the copied credential store data from the file you created in step 1.
List of server commands and syntax This list briefly describes the IBM Domino server commands that are available. Keymgmt Create Creates a credential store application (credstore.nsf) and uses it to store the document encryption key for Web authentication using the OAuth protocol. Keymgmt Export Exports a copy of an existing credential store application (credstore.nsf). Keymgmt Import Imports documents from a credential store application file and adds them to the existing credstore.nsf on a Domino server.
Keymgmt Create
Creates a credential store application (credstore.nsf) and uses it to store the document encryption key for Web authentication using the OAuth protocol. Details This command creates the credential store application credstore.nsf in the directory data\IBM_CredStore on the Domino server. Then Domino checks the Domino server ID file to ensure that the document encryption key specified by the Keymgmt command exists. If the key exists, Domino creates a document in the Credential Store database specifying the name and fingerprint of the document encryption key, and whether the credential store application is only to be used on the same server, or within a cluster. Restriction In the current release, there can be only one credential store on a non-clustered server, or one per cluster if your organization uses clusters, and the credential store application name must be named credstore.nsf.
86
Release Notes
Tip The command uses the abbreviation nek for "named encryption key," which is another term for the document encryption key. Syntax KEYMGMT CREATE nek nekname KEYMGMT CREATE credstore nekname Examples To create a document encryption key called credstorekey, to be used to secure a credential store, enter: KEYMGMT CREATE nek credstorekey To create the credential store using a document encryption key called credstorekey, enter: KEYMGMT CREATE credstore credstorekey
Keymgmt Export
Exports a copy of an existing credential store application (credstore.nsf). Details This command creates a credential store application file called filename in the directory data\IBM_CredStore on the Domino server specified in the command by servername. Then Domino creates a copy of every document in the original credstore.nsf and stores it in the new application file. The filename is relative to the directory from which you launched the Domino server. If the file does not already have the extension .key, Domino adds it. Note: If any document being copied has an encrypted bulk key, the document is decrypted and re-encrypted with the public key of the Domino server specified in the command by servername. Syntax KEYMGMT EXPORT credstore filename servername Examples To export the credential store to a database called credstore_renovations.nsf on the server renovations_sales, enter: KEYMGMT EXPORT credstore credstore_renovations.nsf renovations_sales
87
Release Notes
Keymgmt Import
Imports documents from a credential store application file and adds them to the existing credstore.nsf on a Domino server. Details This command copies all documents from a credential store application called filename. The filename is relative to the directory from which you launched the Domino server. Then Domino adds the documents to the existing credstore.nsf in the directory data\IBM_CredStore on the Domino server where you issue the command. Note: If any document being copied has an encrypted bulk key, the document is decrypted with the private key of the Domino server where you issue the command, and re-encrypted with the document encryption key specified in the credstore.nsf already existing on the same server. Syntax KEYMGMT IMPORT credstore filename Examples To import documents from a credential store application called credstore_renovations.nsf, enter: KEYMGMT CREATE credstore credstore_renovations.nsf
Secure Hash Algorithm (SHA-2)

The Secure Hash Algorithm (SHA-2) is available for use with some encryption features on all platforms supported by Domino 9.0 Social Edition. SHA-2 is widely used and is approved by Federal Information Processing Standard (FIPS) 140-2, to assist in compliance with government mandate NIST 800-131. SHA-2 is currently available to use for X.509 certificate signature verification and S/MIME signed mail, and some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously "hashed." For more information on hashing, see the Information center topic on electronic signatures:
Electronic signatures
No Domino configuration is required to make use of SHA-2. When Notes client users receive S/MIME messages encrypted using the algorithm, SHA-2 is listed in the Document Encryption and Signing Properties box that a client user can open by clicking the Signature or Encryption icon in the Notes client status bar. Tip It is recommended that the Domino administrator use RSA-2048 and AES-128 with SHA-2. To do so, set all client user's ID files to use 2048-bit RSA keys, and configure all Person documents with the setting Can decrypt documents using FIPS 140-2 approved algorithms in order to ensure AES-128. For more information, see the Information center topic on configuring AES encryption
88
Release Notes
New Notes client preferences now assignable by policy

You can use the new option Mark new contacts as private by default in the Desktop policy settings document, Basics tab, Contacts section to assign this client preference. The preference is useful for client users who delegate access to their mail and contacts. There are also NOTES.INI settings you can use on the Domino server in the Desktop policy settings document, Custom Settings > Notes.ini tab to apply other calendaring improvements in this release to users of a policy:
z
AUTO_SORT_DATE=11 or 12 - Enables the preference Automatically sort date columns (takes effect after reopening mail tab ). A value of 11 enables the option Most recent on top (the default) and 12 enables Most recent on bottom.
TypeaheadShowServerFirst=1 - When users affected by the policy see a typeahead list, the server lists server results first, and then a Search Local Directory for name option. Tip This NOTES.INI setting also works in Notes/Domino release 8.5.3.
Widgets changes
The Widgets tab in the desktop policy settings document provides additional How To Apply settings These settings now make available a drop-down list of all How To Apply settings: z Widget catalog categories to install z Enable Live Text These settings continue to provide a drop-down list of all How To Apply settings: z Widget catalog server z Widget catalog application name z Show the My Widgets panel in the sidebar
89
Release Notes
The remaining settings have the new Don't set value How To Apply option.
Widgets in iNotes In this beta release of IBM iNotes 9.0 Social Edition, the widgets feature in the Outline view of the Domino Administrator client is no longer supported. The My Widgets sidebar has replaced widgets in the Outline view. Widgets that were installed into the Widgets folder in the Outline view will not be migrated to the My Widgets sidebar panel. You will need to reinstall those widgets into the My Widgets sidebar panel. The IBM iNotes > Configuration tab on the Mail policy settings document contains a Widget Settings section. That section of the policy document is marked as "Obsolete as of Domino 9.0." The two settings in that section apply to widgets in the Outline view, which is no longer supported. Those settings do not apply to the My Widgets sidebar.
90
Release Notes
Configuring widgets for specific Notes client releases
For support of Notes or iNotes client users, the administrator of the widget catalog on the Domino 9.0 Social Edition server can use the Platform field in widget catalog documents to control which widgets in a category of widget are deployed to client users of this release and of earlier releases of Lotus Notes and Lotus iNotes. This feature is enabled by default on iNotes clients. For Notes clients, you need to enable a preference to use this feature. If a desktop settings policy is set up to push a widget catalog server, widget catalog application name, and widget categories to install to the users of the policy, the Platform field determines whether the widgets in the category should be installed on the specific client and release. Important OpenSocial widgets should be installed only on Notes 9.0 Social Edition or iNotes 9.0 Social Edition or later clients. To install such widgets properly, set the Platform field to IBM Notes 9.0 and, if you have iNotes client users, IBM iNotes 9.0. Notes Preferences Use the preferences described in this section to customize how this filtering works on Notes clients:
Preference 1: com.ibm.rcp.toolbox.admin/filterByWidgetPlatform The default value of this preference is 'false'. When set to false, no filtering is done and all widgets in the configured categories are installed during category installation of widgets. When set to true, widgets are filtered during category installation of widgets. Preference 2: com.ibm.rcp.toolbox.admin/currentNotesPlatform The default value of this preference in Notes 9.0 Social Edition is the release number indicator N90. N90 maps to the Platform field value of "IBM Notes 9.0" in widget documents.
Use this preference to define the current platform release. During category install of widgets. the currentNotesPlatform value is compared to the release number indicators listed in the Platform field entries in widget documents. The release number indicators in the widget catalog are: N801 for IBM Lotus Notes 8.0.1 N802 for IBM Lotus Notes 8.0.2 N85 for IBM Lotus Notes 8.5 N851 for IBM Lotus Notes 8.5.1 N852 for IBM Lotus Notes 8.5.2 N853 for IBM Lotus Notes 8.5.3 N90 for IBM Notes 9.0. See the 'strictWidgetFilter' preference for more information on how filtering is done. If you change the currentNotesPlatform parameter from its default value, you should use the syntax of N <release> , for example, N90FP1. In the widget catalog, you would then add your own custom platform value in your widgets using the same syntax: N90FP1. This will allow you to deploy widgets to specific fixpack installations.
Preference 3: com.ibm.rcp.toolbox.admin/strictWidgetFilter
The default value of this preference is 'true'.
91
Release Notes
When set to true, and the filterByWidgetPlatform parameter is enabled, during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the currentNotesPlatform value, the widget is installed z If the Platform field list is empty, indicating all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the currentNotesPlatform value, then the widget is not installed and a warning message is logged If this preference is set to true and filterByWidgetPlatform is enabled, during drag-and-drop installation of a widget, the following occurs: z If the Platform field list of the widget has at least one release in it and the list does not contain the currentNotesPlatform value, the widget is installed, but a warning message is logged If this preference is set to false and filterByWidgetPlatform is enabled, during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the currentNotesPlatform value or any value indicating a previous release of Lotus Notes, the widget is installed z If the Platform field list is empty, indicating all platforms, the widget is installed z If the Platform field list of the widget has at least one value in it and the list does not contain the currentNotesPlatform value or any value specifying a previous Lotus Notes release, then the widget is not installed and a warning message is logged If this preference is set to false and filterByWidgetPlatform is enabled, during drag-and-drop installation of a widget, the following action occurs: z If the Platform field list of the widget has at least one value in it and the list does not contain the currentNotesPlatform value or any value specifying a previous Lotus Notes release, the widget is installed, but a warning message is logged iNotes settings A new NOTES.INI parameter in the NOTES.INI file on the Domino 9.0 Social Edition server running iNotes controls whether the filtering of widgets during category installation is strict or not strict: iNotes_WA_strictWidgetFilter The default value is "1" which enables strict filtering. You can change the value to "0" to disable strict filtering. When the parameter is set to "1", during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the indicator for the current iNotes release (IBM iNotes 9.0) value, the widget is installed z If the Platform field list is empty, which indicates all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0), then the widget is not installed and a warning message is logged When this preference is set to "1", during drag-and-drop installation of a widget, the following occurs: z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0), the widget is installed, but a warning message is logged
92
Release Notes
When this preference is set to "0", during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, the widget is installed z If the Platform field list is empty, which designates all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, then the widget is not installed and a warning message is logged When this preference is set to "0", during drag and drop installation of a widget, the following action occurs: z If the Platform field list of the widget has at least one platform in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, the widget is installed, but a warning message is logged
Database maintenance tool (dbmt) for user mail files
In this beta release, you can take advantage of a new tool for performing multiple daily/weekly administrative tasks on user's mail database files. The dbmt tool does all of the following: z runs copy-style compact operations z purges deletion stubs z expires soft deleted entries z updates views z reorganizes folders z merges full-text indexes z updates unread lists z ensures that critical views are created for failover Important: When you run this tool, you no longer need to run updall; do not run them both. See the procedure below for details. Command line options z -compactThreads configures the number of threads for performed the database compact operations. Default is 1 thread. If 0 is specified, no compact operations are performed. Base the value selected on the number of disks backing the data directory. -updallThreads configures the number of threads for doing the updall operations. Default z is 1; 0 is not allowed. Base the value selected on the number of disks backing the data directory. -ftiThreads configures the number of threads for rebuilding of the full text indexes. Default is z 1; 0 is not allowed. -timeLimit tl new name for compact -x. Restricts the compact time to tl minutes (for z all compacts). This option does not apply to updall. It is assumed a program document is used to run the dbmt tool every day. After all processing for all threads has completed, dbmt exits. z -range <starttime > <stoptime > - This option assumes that a program document is run only on server startup for the dbmt tool. The dbmt tool sleeps until starttime and performs compact operations until stoptime (or all databases have been processed), at which point the dbmt tool sleeps until starttime). -compactNdays n This option tries to compact all non-system databases every n days. z z -ftiNdays n Rebuilds full text indexes every n days. Default is to rebuild them only when they are corrupt. -force <d > - Selects the day of week to perform fixup on databases that may be having z issues compacting. If d is 0 (zero), the fixup operation will run any day. Fixup is run only when 5 or more consecutive compact operations fail (and the failure is not due to database in use). The value of d is between 0 and 7 where 1 is Sunday, 2 is Monday, and so on. -stoptime <st > - This option assumes that a program document is used to start the dbmt tool z every day. The <st> value specifies at what point compacts should complete. After all processing is complete for all threads, dbmt exits.
93
Release Notes
System databases The dbmt tool does not compact system databases. The tool uses a specific list of databases, as follows, for this exception: names.nsf z z log.nsf z admin4.nsf z ddm.nsf z lndfr.nsf z events4.nsf z statrep.nsf z dbdirman.nsf z dircat.nsf z clubusy.nsf z domlog.nsf z cldbdir.nsf z busytime.nsf z catalog.nsf z daoscat.nsf Note If your organization has additional system databases (such as other Domino Directory databases with a file name other than names.nsf), specify them in a notes.ini variable as described in the procedure below. Running the database maintenance tool from a Program document 1. Edit the notes.ini file on the server that contains the mail files and make all the following changes:
z z
Remove nUpdall from the ServerTasksAt2 parameter. Set MailFileDisableCompactAbort=1 Note This parameter prevents the router from interrupting the compact operations by delivering mail; delivery restarts after the compact operations complete.
Add any additional system databases to the notes.ini variable DBMT_FILTER. Separate entries in the list either by a space ' ', a comma ',' or a semi-colon ';'. The names are case-insensitive and are relative to the data directory. For example, if the data directory is d:\notefile and the database in the root of the data directory is log.nsf, you would enter DBMT_FILTER=log.nsf
2. Create a Program document that specifies the dbmt tool runs once at server startup with parameters shown below. 3. Specify the command in the Program document with at least the following options: -compactThreads n -updallThreads n -compactNdays n -force d -range starttime stoptime
For example, the following set of parameters specifies 8 threads (based on disk drives backing the notes data directory) for both the compact and updall tasks, a window between 2:00 AM and 5:00 AM in which to run the tool, 5 days to wait before compacting non-system databases, and Sunday as the day to perform fixup on databases that cannot be compacted. -compactThreads 8 -updallThreads 8 -range 2:00AM 7:00AM -compactNdays 5 -force 1
94
Release Notes
Running the database maintenance tool from the server console When running dbmt from the command line on IBM AIX, Linux, or UNIX, use this format: dbmt <filename> When running compact from the command line on Microsoft Windows, use this format: ndbmt <filename>
New option for Updall Updall performs the following tasks by default. These are also tasks that the database maintenance tools performs: z purges deletion stubs z expires soft deleted entries z updates unread lists Because the database maintenance tool is meant to replace (and improve upon) running updall nightly, you can use the following new option for updall to skip the tasks above, making updall faster when you run it for any one-time purpose. -nodbmt When you run updall as part of dbmt, Domino also ensures that the following views are built for databases with a template name of StdR85Mail: z $Inbox z $Drafts z $All z ($RepeatLookup) z ($ToDo) z ($Calendar) z ($Haiku_TOC) z ($Alarms) z ($iNotes) z ($Users) z ($iNotes_Contacts) z ($ThreadsEmbeded) After these views are built, they will not be discarded due to non-use. You can also build additional views for StdR85Mail templates or other templates by specifying NOTES.INI variables using the following format: dbmt_template name =view_name_or_alias ;view_name_or_alias;view_name_or_alias Substitute the template name after the underscore, and separate the view or alias names with either semicolons or commas. For example: dbmt_stdr85mail=($sent),stationery;by category
95
Release Notes
Integrating Connections files with iNotes
You can make file sharing easier for IBM iNotes users by specifying mail policy settings that save network resources and improve efficiency by integrating iNotes with IBM Connections files. As an alternative to sending attachments, users can insert links to files that have been uploaded to Connections. Where possible, the files that are being linked to are shared with the recipients at send time. Users can upload received attachments to Connections Files and then remove the attachment from the email and replace it with a link to the newly uploaded file to save space it their mail file. Connections 3.6 and more recent versions are supported for integration with iNotes. 1. Configure Connections for your environment. 2. Set up SSO between the Connections server and the IBM Domino server. SSO is not required but it allows users to log in to iNotes and Connections with one logon. 3. Configure the Connections server to display email addresses. If you specify notes.ini file settings that correspond to the settings on the mail policy settings document, Connection Files Integration section, the mail policy settings are overridden by the corresponding notes.ini file settings. 1. From the mail policy settings document, click IBM iNotes, and then click Configuration. 2. In the Connection Files Integration section, in the Allow Files Integration field, accept the default setting of Enable. 3. In the URL to Connections Files service field, enter the URL for the Connection Files service. Note: This URL must point to the URL of just the Files service, not the overall Connections installation. For example, enter http://mycompany.com/connections/files Note: Change the default settings in steps 4- 6 only if necessary. 4. In the Enable sharing linked files in mail field, accept the default of True. Linked files are automatically shared with the email recipients. When this setting is False, the sender must manually share the linked files in Connections with the recipients; however, it will reduce the load on the Connections server when all recipients do not need access to the file. 5. In Maximum group size for sharing linked files field, enter the maximum group size for sharing linked files. By default, linked files are only shared with groups of 100 or fewer members. Sharing linked files with large groups of recipients is inefficient. In the case of a large group, it is better to put the file in a Community or to put in a folder with shared access. Note: This limit only applies to private groups if the delivery option is set to Do not expand personal groups and that group has not been expanded earlier in the session. 6. In the When replying to an email containing links to Files , only share linked files in the newly added part of the thread field, accept the default of False. Changing the setting to True, reduces the load on the Connections server for long email threads. However, if a user replies to a thread containing a link to a file in Connections Files and adds a new recipient to the thread, the new recipient is not given access to the file. This setting only applies to email being replied to, not forwarded, since it is likely that the file has already been shared with recipients earlier in the thread. For forwarded email, there are new recipients who are less likely to have access to the file. 7. Complete the procedure Designating the proxy settings in the security policy settings document. 8. If any of the URLs specified in step 7 use SSL with a self-signed certificate, import them into the Domino Directory and cross-certify them so that they are trusted.
96
Release Notes
Designating the proxy settings in the security policy settings document 1. From the security policy settings document, click Proxies. In the Add white list rule for proxy servlets field, click Edit List. The White list rule to add or modify fields display. 2. In the Context field, enter /xsp/proxy/LcFilesProxy/ 3. In the Actions field, enter HEAD, GET, POST, PUT. Note: By default, PUT is not enabled on the Domino server. If Internet configurations are being loaded from Server or Internet Sites documents, enable PUT from within the Allowed Methods section of the Configuration tab of the Internet site document. If you are not using Internet Sites documents, then enter this NOTES.INI file setting: HTTPEnableMethods=PUT 4. In the Headers field, enter * (an asterisk). 5. In the MIME Types field, enter * (an asterisk). 6. In the Cookies field, if you are using SSO, be sure to include either LtpaToken or LtpaToken2. If you are not using SSO, do not enter anything. 7. Click Add/Modify Value. The Context and URL values are added to the Add these white-list rules for proxy servlets field. Click OK. 8. If you are not using SSO, repeat steps 2 - 8 using the same Connections URL but with https instead of http for use with the Connections login dialog. The easiest way to repeat these steps is to click Add/Modify Value and modify the URL you just added. Modifying the URL creates a new rule but does not change the existing rule. 9. Click Save and Close.
97
Release Notes
Notes Client
Purpose of the early drop
Before installing this beta client , it is recommended to first uninstall your existing Notes client . The client team is looking for feedback on specific aspects of the Notes product for each beta release. As a result, areas of the product may not have undergone the extensive testing that normally takes place with releasing a milestone. We don't recommend that you use the early builds for anything other than testing the focus areas for a given drop, as these focus areas have undergone more extensive testing. If you find any problems with any of the focus areas, please report those issues in the forum.
Focus features
As an early beta partner using these features, what we need from you is feedback on (1) the usability of the features, (2) the user interface, and (3) the following write-ups, which will become part of a Technote or wiki article.
Mail features
See messages in your Inbox grouped by date From your Inbox, select Show > By Date to see your Inbox grouped into messages from Today, Yesterday, Last week, etc:
98
Release Notes
Abbreviated dates The Mail views now show abbreviated, simplified dates according to the following changes:
z z z z z
If the date falls on the current day, then the date column will only show the time, for example: "4:50 PM" Yesterday's date will have "Yesterday" plus the time If the date falls on a prior day within the past year, then the month and day will be shown with the time, for example: "May 12 3:50 PM" If the date falls on a day in a previous year, then the traditional date/time is show, for example "5/12/2011 3:15 PM" If, for some reason, there is a future date in the Mail view, due to OS settings, it will be displayed the way that the "May 12 3:50 PM" example is shown above.
Abbreviated dates can be over-ridden by the end user. For mail views, the "Use abbreviated dates" checkbox will be checked default; users can uncheck it to override this behavior. For other views, "Use abbreviated dates" will be unchecked by default.
99
Release Notes
For Administrators
For mail views, abbreviated dates is now the default. This is done through Designer to make it the default in the mail template, with a new choice for "Abbreviated". Mail views here include all views in Mail including: chat history, followup, etc. Folders will inherit this change if the update is done on folders. This would be available as a choice for all core Notes views having a date column, but will not be turned on by default.
Note: You will not see this check box unless you have the current beta release installed. Also, any modifications made by an older Designer client will clear out this option when the view/folder is saved. Message "snippets" are available in Inbox view Preview message text in your Inbox view. From the Inbox, select Show > Beginning of Message to display message body text. Hover over messages in your Inbox to see the first 100 characters. New action bar button for "Read/Unread" mail A new action bar button in the Inbox allows you to mark messages Read or Unread, instead of using the Edit > Unread marks menu.
100
Release Notes
Image preview for attachments You will now see a thumbnail preview of attachment images when reading MIME email. You will also see this preview when creating image attachments in the rich text editor.
Calendar features
Scroll through One Month view in Calendar Instead of viewing only one entire month at a time, now you can scroll through the One Month view of the calendar 1 week at a time. For example, instead of being able to view only all of December or all of January, you can view the last few weeks of December and the first few weeks of January.
Use the vertical scroll bar to navigate forward or backward.

z z z
Drag the scroll bar slider to navigate to a specific month (a tool tip will tell you which month you are scrolling to) Click the up or down arrow of the scroll bar to navigate forward or backward by one week. Click within the scroll bar to navigate forward or backward by one month.
Or use the following shortcuts:

z z z z
Scroll backward one month. - PgUp Scroll forward one month. - PgDn Scroll backward one week. Ctrl+PgUp Scroll forward one week - Ctrl+PgDn
101
Release Notes
New Weekly Planner in Calendar Notes 9.0 Social Edition includes a new Calendar view called Weekly Planner. The Weekly Planner shows the days of the week in a two-column format as shown below, which is similar to the Weekly view in the Notes Basic Client. You can scroll within a day to see more entries.
Show available times in the Weekly Planner
In the Weekly Planner, you can click Show > Show Available Times to see the times when no events are scheduled. If you select Show Available Times, it will show a day's available times like this:
102
Release Notes
Color-code calendar entries by category You can now color-code your calendar entries by category. Note that this feature will override any existing Calendar Entry Colors settings on the Calendar & To Do > Colors preferences tab. To set category colors for calendar entries, choose File > Preferences > Calendar & To Do > Colors > Category Colors, and set color codes for your calendar event categories:
You can also assign colors for color-coded categories directly from the calendar entry form. From a new calendar entry, select the Assign Colors button.
103
Release Notes
Check Calendar dialog box remains in view The Check Calendar dialog can be moved and sized, and now remains on top while you're interacting with Notes. Forward overlaid teamroom calendar as email You can now forward a teamroom calendar that you have overlaid into your Notes calendar as an email.
Calendar and Scheduling APIs for C SDK The Notes and Domino calendar and scheduling API enables application developers to create, modify, read, delete, or take calendar actions on calendar entries and meeting notices in a Domino mail file. The API encapsulates the complexities of Notes/Domino calendar data, including repeating meetings and notice creation, by utilizing the standardized iCalendar data format. A preliminary version of the API for the C SDK is included in CD2. Future Java & LotusScript APIs, as well as a REST calendar service may be built on top of this C functionality, but are not included in CD2. Specifics of the calendar functionality contained in the C SDK are documented in the calendarapi.h header file. Please provide any feedback regarding the API such that we can determine if further modification is needed before it is finalized. At this point the new API is not yet officially supported and is subject to potential modification or omission in future beta releases.
104
Release Notes
Instant Messaging features

Embedded Sametime has been upgraded to version 8.5.2 IFR1 The embedded version of Sametime installed with Notes has been upgraded to Sametime 8.5.2 IFR1. To better understand the differences in functionality, please see the complete list of Sametime 8.5.2 system requirements at: http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Using%20Sametime%20Stan dard%208.5.2%20documentation Call phone numbers and start chats through Live Text All users with Live Text enabled will see new Live Text actions upon installing Notes 9.0 Social Edition CD6 if they use embedded Sametime. The new embedded Sametime version provides Live Text actions to call phone numbers and start chats with people's name that Live Text identifies. If users did not previously have Live Text actions (or widgets) wired to the "person" or "phone number" data type, the Sametime actions will cause Live Text to start underlining this contents after upgrading. If users already use Live Text or widgets for Person and/or Phone Number, there will be no difference in usage, only that additional actions are provided in the Live Text drop down. This functionality is working as designed, but if this disrupts users there are options to change this behavior:
Disable Live Text completely (Policy or user preference)

For information on the Policy settings see this link.
If users aren't leveraging Live Text or Widgets, this will prevent any extra annotations.
To disable Live Text locally through preferences: 1. Click File > Preferences. 2. Click Live Text Note: If this option is not displayed, click Widgets instead. Click the checkbox Show Widgets Toolbar and the My Widgets panel , click OK, and then re-open preferences. 3. Under Live Text, de-select the only checkbox 4. Click OK.
Disable the specific Content types for Person/Phone Number
If users plan to leverage other capabilities, depending on Policy settings users can disable specific content types including Person and Phone Number. To disable Content Types: 1. Click File > Preferences. 2. Click Live Text 3. Go to the Live Text Content Types section and uncheck the "Person" or "Phone Number" options, as desired.
105
Release Notes
Search features
Improved Starts with /Quick Find experience Now you can find information more easily in Mail, Calendar, teamrooms, or any other view in Notes. You can now select which column to search (which also sorts automatically by that column), and if you're searching for a name, type-ahead will help you quickly find that name.
To use this feature, start typing in any view (or click Ctrl + F) and a dialog will appear, where you can choose which column to search and continue typing the information you'd like to find.
You can choose to search in any column in that view, or choose Any column to search in all columns.
106
Release Notes
In views with no columns
In views with no columns, such as the One Week, or One month view in Calendar, you can choose to search just that view or search in the entire application. For example, if you're looking at the monthly view of April select This view to just search the month of April, or select All to search the entire Calendar.
Search results more easily sorted by selected view sort order The Show Results drop-down menu, which defines the view sort order for search results, has been placed more prominently in the View Search box. This allows you to change the sort order for search results without having to execute the search again each time.
Note: An application must have a full-text index in order for the user to see the Show Results drop-down menu; otherwise you will see a Not Indexed notification link.
107
Release Notes
Search Mail and Archives at the same time Note: This feature is only available to Notes Standard client users. Notes 9.0 Social Edition allows you to simultaneously search your mail file and any mail archive applications you may have created. This option is available in the Search toolbar:
You can disable this option by selecting File > Preferences > Search > Search List and unchecking "All Mail and Archives" from the search list:
108
Release Notes
iNotes features
iNotes Calendar features Note: If you followed the CD3 instructions and manually set up INI commands to enable certain new calendar features, the features are enabled by default for CD4 and later, so you can remove the now unneeded CD3 INI commands.
iNotes 9.0 Calendar forms (Create, Edit, Notice) and Scheduler widget preview
Prerequisite: IBM Domino server installation with version 9.0 Social Edition CD6 and iNotes capabilities enabled Please post feedback on the new user interface in the Notes/Domino NEXT Design Partner Program forum.
Improved iNotes Calendar Create and Edit forms

z z z
Users have new, easier-to-read forms that are faster to use to schedule team meetings, as well as individual appointments, anniversaries, all day events, and reminders. To simplify the feature-rich calendar forms, less frequently used features are hidden, yet they remain available in a way that users can easily re-display them and use the features as needed. The new calendar forms are more integrated with the current mail experience and iNotes framework.
109
Release Notes
Updated calendar entry form:
Improved iNotes Calendar Notice forms

z
The updated forms include these notices an invitee can receive: invitations, broadcast notices, reschedule notices, meeting updates, confirmations, cancellations, notices of being removed from a meeting, and delegation notices (from another invitee) The updated forms include these notices a chairperson can receive: counter-proposals, information requests, acceptance notices, decline notices, delegation notices, and tentative acceptance notices For meeting invitations, users can tell if they are available within the meeting notice. Users can also act on this new status and check their calendars or propose a new time to meet. When proposing a new time, users now have the option to add comments by default. Users no longer have to choose between Propose new time and Propose new time with comments ; they can simply add comments to a proposal or not.
z z
110
Release Notes
iNotes Calendar dynamic Scheduler widget
When a chair creates a meeting or an invitee proposes a new time for a meeting, both can use the new dynamic scheduler widget to easily drag and drop to select a time that accommodates attendee schedules. Users can do the following with the dynamic scheduler widget: Drag to change the meeting time or duration Notice green check marks over time columns that indicate that all invitees can attend at those times. While dragging over different times, notice that the drag bar changes between green and red to indicate whether all invitees can attend or not at the selected time. Drop the drag bar on a day boundary to auto-expand the time grid to 24-hour mode Quickly pick a recommended meeting time for all required attendees
z z z
z z
Finding available time directly from the iNotes Inbox

z z z
Users can schedule a meeting quickly while reading daily email with the new dynamic scheduler widget. Right-click on any document and click Find available time to open the new scheduler. Use the dynamic scheduler to pick your meeting time and then click Create meeting to schedule the event quickly.
111
Release Notes
Calendar view improvements
Many iNotes calendar views now have the following improvements:

z z
Simplified calendar entry colors Conflict indicators to show when two calendar events overlap in time (for example, see Tuesday at 10am). Gutter area to right of calendar entries that you can easily double-click and create a new entry with an overlapping time
Importing Contacts into iNotes You can import existing Microsoft Outlook contacts into your iNotes client by first exporting them from Outlook as a comma separated value (CSV) file, and then importing that file. Support for IBM Social Theme Support has been added to the current beta release for the IBM Social theme for iNotes. This theme provides a new, cleaner, more modern look to the iNotes 9.0 client. This theme is being adopted across the IBM product line for UI consistency. Return receipt generation control A new Domino server NOTES.INI setting called iNotes_WA_SendReturnReceipt enables iNotes users to set how to handle return receipts for incoming messages that request them. The NOTES.INI setting has the following values: iNotes_WA_SendReturnReceipt=2 return receipt for individual messages iNotes_WA_SendReturnReceipt=1 iNotes_WA_SendReturnReceipt=0 Display prompt giving user the option to send or not send a Always send return receipt (default) Never send a return receipt
112
Release Notes
Paste images from clipboard with Firefox Firefox users can copy and paste images from the clipboard into the rich text editor of a mail message. Other browsers such as Internet Explorer, Safari, and Chrome are not supported because they do not support pasting images from the clipboard. Attachments area improvements A new and improved attachment HTML-based area is available across all browsers. This attachment area also supports drag and drop of files in recent browsers that support HTML5. Notes link improvements For 9.0, default links are Notes-only links, rather than web links, and the Notes links are represented by as in previous releases), new icons (rather than
New Notes-only links (default)
If the NOTES.INI setting iNotes_WA_OfferNotesURLLinks is set to 1, then both Notes and web links are displayed, respectively, for a linked item.
New Notes and web links, displayed together
Social Edition: New Widgets and Live Text support for iNotes NOTE: Widgets and Live Text features are only supported in iNotes client Full Mode iNotes provides the following support for widgets and live text in this release of Domino 9.0 OpenSocial component:
Widgets
z z z z z z
New My Widgets sidebar panel, providing a view of all installed widgets, plus browse catalog and update widget actions Drag and drop to install web and OpenSocial widgets from the widget catalog. Right-click and choose Remove to remove the installed widget. Open web widgets in a tab, window, floating window, or sidebar. Right-click on the widget and choose the corresponding Open command. Open OpenSocial widgets in a tab, floating window, or sidebar. Right-click on the widget and choose the corresponding Open command. Edit widget properties by right-clicking on a widget and choosing Properties. Web and OpenSocial widgets installable via policy by administrators (pushing widgets to end users)
113
Release Notes
Live text
z z
Live text recognition and action execution is now supported in emails. Send selected text to a widget by selecting the text and double-clicking on the widget in the My Widgets sidebar panel. The widget must have a 'selected text' action configured for it.
IBM Notes Browser Plug -in features

IBM Notes Browser Plug -in The IBM Notes Browser Plug-in allows you to work with your Notes applications directly in a browser. The plug-in consists of components of the Notes Client, to allow working with your application, as well as components to allow integration inside a browser. The components from the Notes Client which are part of this plug-in are specific to the Notes Basic client; any features in an application that require Standard Client components will not be available when running that application under the Notes Browser Plug-in. Features such as Widgets, LiveText, and Composite Applications fall into this category. If your application runs successfully in the Notes Basic client, it should run un-modified in the Notes Browser Plug-in. There are additional components from the Basic Notes client that have not been included with the plugin:
z z z
Spell Check Dictionaries Local Help Files Attachment viewers
In addition, the Notes Browser Plug-in does not support access to a user's mailfile; IBM strongly recommends using iNotes for mail access.
114
Release Notes
Platform Support
z
The Notes Browser Plug-in is only supported on the Microsoft Windows platform (Windows 7 and Windows 8), and supports the following browsers and versions: - Firefox (Release 10 and above) - Internet Explorer (Release 8 and above)
Citrix is also supported in this beta release
Installation There are now 2 different ways of installing the Notes Browser Plug-in: either using a stand-alone package, or installing the plug-in during the installation of the standard client. IMPORTANT:
z
If you are installing the Notes Browser Plug-in using its own installer, then you must un-install prior versions of Notes from your system. Changes to support prior Notes client installations and migration of data are planned for after the current beta release. If you had used the "LotusNotesBrowserExtension.xpi" file from an early pre-beta release, you MUST remove that add-on from Firefox. To remove: Select Tools -> Add-ons in Firefox, select the Notes Browser plugin add-on, and remove it from the browser. Restart the browser.
Notes Browser Plug-in specific installation packages:

There are 2 packages that are available:
z z
NotesPluginMin - minimum, which does not have a JVM, which means that if you have an application with Java Agents, it will not work. NotesPluginMax - includes a JVM.
When you use either of the above installation packages, it will first uninstall any prior installation of Notes. It will then install the components required for the plug-in, and register the components in Firefox or Internet Explorer, or both if both browsers are available on the system. Once you complete this installation, restart the browser for it to detect the new installation.
115
Release Notes
Installing as part of the Standard Client Install

Starting with the current beta release, there is an option to install the Notes Browser Plug-in during the installation of the Notes Standard client:
Select the "Notes Browser Plug-in" option under 'Notes Client' and select "Install this component on the local hard drive" to install the Browser Plug-in specific components on your system. Once completed, you will be able to use either your Standard Client, or the Notes Browser Plug-in. You cannot run both of them at the same time. Please read the "Known issues" section below for additional information.
Troubleshooting the Browser Plug-in

NSD has been enhanced to capture Browser Plug-in specific information. When you run NSD via the "Start -> IBM Applications -> Support -> Collect IBM Notes diagnostic data" the NSD log file that's generated will contain information related to the browser, to help IBM identify the exact issue which caused the problem.
116
Release Notes
Tips for using the IBM Notes Browser Plug -in

z
If you are using the existing Notes/Data directory, your Notes Client bookmarks are migrated to Firefox and internet Explorer bookmarks when you launch the IBM Notes Browser Plug-in. The migrated bookmarks will show up under a "Notes Applications" entry in the browser's bookmarks. This plug-in does not support access to a user's mailfile. We strongly recommend using iNotes for mail access. Once a Notes application or Notes document is opened inside the browser, you can leverage the browser's bookmark or type-ahead functionality to quickly re-open the application or document. Simply start typing the string which will match the application name in the browser's URL bar. Following are some examples of URLs you can use: Notes:Home Notes:replication Notes:workspace -- Opens the welcome page -- Opens the replicator page -- Opens the workspace
z z
Notes URL Syntax: Notes://[optional server]/[required database ] example URLs: (local DB -> notes:///journal.nsf, server DB -> notes://server1/test.nsf )
iNotes integration This code-drop supports tighter integration with the IBM iNotes Client. For this integration to work, you must have a working iNotes environment. Also, please add the following entries to your notes.ini file on the system where the Notes Browser Plug-in is installed: BrowserAllowiNotesMail=1 INOTES_SERVER_PATH=<servername> (in the format "xyz.ibm.com") Following are some of the functions that are supported:
z
Icon on the iNotes bar to launch the Notes Browser Plug-in (as seen below)
Clicking on an application link in an email received in iNotes launches the application in the Notes Browser Plug-in. Icon on the Notes Browser Plug-in menu bar to launch iNotes While looking at any document in the Notes Browser Plug-in, right-clicking on "Forward" will create a memo in iNotes with the current document embedded inside it. For this to work, the following things need to be set: - your mailfile or the primary server should have iNotes hosted - notes.ini settings as above.
z z
117
Release Notes
"Copy as table" in the Notes Browser Plug-in has been enhanced to copy view entries as an HTML table, so it can be pasted easily in an iNotes email. If you do not have access to an iNotes server, you can add "BrowserAllowNotes=0" to remove the icon for iNotes access.
Troubleshooting issues under Firefox After installing the IBM Notes Browser Plug-in, when you first open Firefox, it will ask the you to verify and 'enable' the plug-in. You must enable the plug-in and restart Firefox for the Browser Plug-in to work. If, after installing the plugin, a new version of Firefox is installed (new installation) or if the Firefox browser is upgraded to a new version, the option to enable the plug-in may not appear automatically. In that case, select "Tools -> Add-ons" and select 'Extensions' to find the IBM Notes Browser Plug-in Extension entry, then enable it manually. (SPR# AGAM92QHEA). Browser settings for Internet Explorer The following settings must be set in Internet Explorer (IE), to have the plug-in work properly:
z
Options to be checked: - Always switch to new tabs when they are created - A new tab in current window
Options to be unchecked: - Enable automatic crash recovery - Warn me closing multiple tabs
To run the Notes Browser Plug-in, Internet Explorer should run in disabled protected mode; by default, IE runs in protected mode for security reasons. Because of the protected mode, IE runs at "Low Integrity Level" and the Notes process runs at "Medium Integrity Level". Both IE and Notes should run at "Medium Integrity Level".
Notes does add some registry settings through the installer, in order to add Notes in Trusted Site Zones. The installer adds the "notes" = "(2)" entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults registry key. This key gets added for the user who installs Notes for the first time. In case of a multiuser install, users other than the installed user (generally administrator), do not have this key enabled in their registry settings. To overcome this issue, the logged user will have to make the following changes in their registry:
z z z
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - Add Name- notes Type- REG_DWORD Data - 2 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - Change the value for 1809 / add new entry as 1809 Type - REG_DWORD Data - 3 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - Change the value for 2500 / add new entry as 2500 Type - REG_DWORD Data - 3
Restart Internet Explorer, and start notes:home.
118
Release Notes
OpenSocial component features

OpenSocial support IBM Notes and iNotes Social Edition now support rendering of OpenSocial 2.0-compliant gadgets. All gadgets that are rendered in Notes or iNotes must have widgets in the widget catalog, and the administrator must have approved those widgets. Once the widgets for the OpenSocial gadgets are approved, they can be pushed via policy, or installed via the widget catalog, so that users can open them the same way they open other widgets. OpenSocial support in both Notes and iNotes Social Edition adds a consistent web programming model across these products. A vast majority of APIs and functionality are available to OpenSocial gadgets inside both clients. Please see the OpenSocial 2.0.1 specifications for more information on the functionality available. NOTE: Notes and iNotes Social Edition do not support everything in all of the OpenSocial 2.0.1 specifications - some functionality may not work as described in the specifications. Below is a list of what is not supported: Not Supported:
z
Everything in the Social Gadget Specification, except for osapi.people.getViewer, osapi.people.getOwner, <os:ViewerRequest>, and <os:OwnerRequest>. The Social API Server Specification.
Below is a list of functionality highlighted in this release:

z z
Notes and iNotes Social Edition are OAuth 2.0 and OAuth 1.0a consumers, and gadgets can leverage these technologies to make requests to OAuth-protected web services. OpenSocial gadgets can make requests to web services via gadgets.io.makeRequest or osapi.http.* (OAuth requests must be made through gadgets.io.makeRequest). OpenSocial gadgets may contribute actions and get the current selection in Notes or iNotes. Services can use OpenSocial gadgets and URLs to provide embedded experiences in mail. See the "Embedded experiences" section of this document for additional details on this functionality. OpenSocial gadgets can open dialogs (modal and non-modal), tabs, and sidebars using the gadgets.views.open* APIs in OpenSocial.
z z z
Embedded experiences Embedded experiences allow application developers to embed content from their applications inside OpenSocial 2.0 containers, like a gadget or a simple web page. Containers and gadgets which support embedded content can choose to render this content as an embedded experience. Embedded experiences can be placed in emails using the MIME standard. For example, in addition to plain text and HTML, MIME types for JSON-based and XML-based applications can be embedded directly in an email. Notes Social Edition and iNotes Social Edition both support embedded experiences in email.
Rendering embedded experiences in your Notes email

In order to render an embedded experience in your Notes mail, you must have installed a widget created for the gadget or URL that is being used as the embedded experience in your 'My Widgets' sidebar panel in your Notes or iNotes client. In addition, the "Disable embedded browser for MIME mail" preference must be un-checked in the Basic Notes Client Configuration preferences.
119
Release Notes
Gadget actions and OpenSearch A gadget can contribute actions to the Notes and iNotes clients. These actions can be contributed by the context menu and either the top-level menu (Notes only), or the toolbar menu (iNotes only). A gadget may contribute actions to specific objects, such as mail messages, contacts, and attachments (Notes only), and display in the context menu when selecting and right-clicking those objects.
In addition, in iNotes, actions on files are contributed to the attachments toolbar. When run, the action opens the parent gadget and runs some JavaScript, which may or may not act on the current selection. The action can specify both the gadget view in which it should open (for example, profile, default, or canvas), and the view target, which is the type of Notes/iNotes view in which the gadget should be opened (for example, tabbed page, sidebar, floating window, or dialog box). If no view is specified, the action runs in the default (or current, if open) view of the gadget, and if no view target is specified, the action runs in a floating window. NOTE: If multiple instances of the same gadget are open, the action runs in all of those views. If any instance of the gadget is open, the action runs in that instance, no new instance is opened, and the view target is ignored.
120
Release Notes
This action binds to any opensocialPerson object which, in the Notes context, means, for example, the sender in your Inbox or a contact: <action id="os.test.person" dataType="opensocial.Person" label="Person Action" tooltip="Person Action" /> This action binds to an opensocialPerson object and opens in the profile view inside the gadget: <action id="os.test.person.blue" dataType="opensocial.Person" label="Profile Person Action" tooltip="Blue Person Action" view="profile" /> This action binds to an opensocialPerson object, opens in the canvas view inside the gadget, and opens the gadget in a new tab: <action id="os.test.person.blue.tab" dataType="opensocial.Person" label="Tab Person Action" tooltip="Blue Tab Person Action" view="canvas" viewTarget="TAB" />
OpenSearch
Gadgets that implement the opensearch feature contribute the search engine described in the feature to the Notes Search Center. For example, a gadget containing the following feature declaration contributes CNN.com search to the Notes Search Center. (See image below.) The user can then search the CNN web site from inside the Notes client.
Feature declaration
<?xml version="1.0" encoding="UTF-8"?> <Module> <ModulePrefs title="CNN Search"> <Optional feature="opensearch"> <Param name="opensearch-description"><![CDATA[<OpenSearchDescription xmlns=" http://a9.com/-/spec/opensearch/1.1/" > <ShortName>CNN.com</ShortName> <Description>CNN.com Search</Description> <InputEncoding>UTF-8</InputEncoding> <SearchForm>http://search.cnn.com/</SearchForm> <Url type="text/html" method="get" template="http://www.cnn.com/search/?query= {searchTerms}"> </Url> </OpenSearchDescription> ]]></Param> </Optional> </ModulePrefs> <Content type="html"><![CDATA[ Hello, world! ]]></Content> </Module>
121
Release Notes
Example search contributed to the Notes Search Center:
OpenSocial actions in Notes and iNotes The below table outlines the location in Notes or iNotes where a developer will find various OpenSocial action types and paths, for gadgets they are developing: Type opensocial.Pers on opensocial.Mes sage opensocial.File Product iNotes Notes iNotes Notes iNotes Notes Where Contacts area view context menu Contacts view context menu, Live Name Context menu, Sametime buddy list context menu Mail area Inbox/Folders view context menu Mail area views/Folders view context menu Mail (reading, not editing) message attachment area toolbar button Any attachment in a document, right click menu
122
Release Notes
Path container/menu s container/toolba rs
Product Notes
Where Contribute to the notes application menus. container/menus/File/New will place an action in the File -> New Notes menu Contribute a toolbar button to the Notes toolbar
Notes
Creating OpenSocial Widgets In Notes Social Edition 9.0, there is a new widget type: OpenSocial Widgets. The widget type supports creating widgets based on existing OpenSocial Gadgets. A widget developer can create an OpenSocial widget by using the new OpenSocial widget wizard. OpenSocial widgets can be used like other widget types in that you can perform these tasks:
z z
Open them in a tab, new window, floating window, or in a sidebar panel Wire live text to widget actions
An OpenSocial gadget can also provide advanced features (such as using APIs, OAuth, and rendering in an embedded experience) as detailed in the Social Gadget Specification. Due to the use of advanced features, OpenSocial widgets need to be approved by an administrator before they are made available for client use. When a widget developer creates the widget, the developer needs to publish the widget to the corporate widget catalog. The widget catalog administrator then needs to approve the widget. Once approved, Notes and iNotes 9.0 users can install the widget from the catalog and render the widget in their clients. The widget developer can create OpenSocial widgets using: 1. The "Getting Started with Widgets" toolbar action or Tools > Widgets > Getting Started with Widgets command 2. The My Widgets sidebar panel menu Configure a widget from > OpenSocial Gadget command 3. The "Configure a widget from the current context" toolbar action when an OpenSocial Gadget is open in the embedded browser.
123
Release Notes
Option 1
Open the widgets Getting Started wizard using the toolbar action --
-- or by using the Tools > Widgets > Getting Started with Widgets command. The following dialog box displays:
124
Release Notes
You can select the OpenSocial Gadget option and click Next to open the getting started wizard for OpenSocial Gadget:
If you choose the Browse the OpenSocial Gadget directory option, an embedded browser tab opens a site where you can search for a gadget. When you find the gadget you want, skip to to Option 3 below. If you choose the Add an OpenSocial Gadget option, type the URL for the gadget you want to use and click Next.. The URL goes to the gadget descriptor (.xml file).
125
Release Notes
The next wizard page downloads the gadget definition from the URL you specified:
126
Release Notes
You then see the OpenSocial Widget Feature Capabilities wizard page.
This page lists feature capabilities that the gadget is using. Each feature is listed as Required or Optional as it is listed in the gadget definition. Widget developers can use the Permission column to disable or enable optional features. NOTE: If there is at least one Required feature that is not supported by the client, the widget developer is not allowed to create the widget.
127
Release Notes
If you click Next, the Configure OpenSocial Gadget Views wizard page displays. You use this page to specify which gadget-supported view to use when rendering the gadget in a particular view target. All views supported by the gadget are listed in each drop-down box.
You can click Next to see the wizard page for specifying the widget name and what you want to do with it (as seen in other widget wizards). If you choose to create a live text action, clicking Next displays the wizard page for creating an action (as seen in other widget wizards). If you then click Next, a wizard page displays, with a summary of the widget you are creating. Clicking Finish creates the widget and places it in your My Widgets sidebar panel.
Option 2
You can use the My Widget sidebar panel menu to select the Configure a widget from > An OpenSocial Gadget command.
This starts the same Start Configuring Widgets wizard for OpenSocial Widget as shown in Option 1 above.
Option 3
128
Release Notes
If you have an OpenSocial gadget open in the embedded browser, you can click the 'Configure a Widget from Current Context' toolbar button:
This opens the wizard selection page:
You can then click Next to proceed through the OpenSocial widget wizard as described in Option 1 above.
Enabling a URL to be embedded in an embedded experience

In Notes 9.0 Social Edition, the web widget creation wizard has a new wizard page. The widget developer uses the wizard page to enable a URL for use as an embedded experience in an email. In the wizard page, the widget developer can select a check box and enter a URL that they want to be embedded into an email. After the widget is published to the corporate widget catalog and approved by the widget catalog administrator, users can install the widget and then have the ability to render the URL embedded in an email.
129
Release Notes
The URL field does not need to match the URL widget itself. The URL field can contain a wild card so that many URLs from the same site can be trusted to be embedded in an email. NOTE: Host names cannot contain a wild card. Example:
z z
Widget URL: http://my.server.com/directory/file.html Embedded experience URL: http://my.server.com/directory/* In this example, when you open the widget, it will navigate to http://my.server.com/directory/file.html. For use in an embedded experience email, any URL that begins with http://my.server.com/directory/ will be allowed.
Examples of embedded experience URLs:

z z z z z
http://my.server.com/ http://my.server.com/* http://my.server.com/directory http://my.server.com/directory/* http://my.server.com/directory/file.html
Reference to existing web widget creation wizard: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/How_do_I_create_a_Web_page_widget_LN90
130
Release Notes
Publishing the widget to the catalog

The newly created widget can be published to the catalog as in previous releases using the widget's right-click Publish to Catalog command.
Approving the widget for availability to client users

After the widget is added to the widget catalog, the widget catalog administrator needs to approve the widget for use. See the Domino Administration documentation for more information on approving widgets.
Installing and using the widget

After the widget catalog administrator has approved the widget, users can install it by dragging and dropping the widget into the My Widgets sidebar panel. When the widget is installed, the advanced features of the gadget are enabled in the client. Users can also start receiving embedded experience emails that embed the OpenSocial gadget or URL.
Other features
Discover page The Notes 9.0 Social Edition client introduces a new home page called the Discover page. With the Discover page, users can find targeted Notes client information more quickly and easily, including what's new in the release, introductory material for new users, and helpful hints and tips. There is also a "Quick Links" tab that allows users to launch their workspace, Mail, Calendar, and other Notes applications they have recently used, in addition to other resources, such as the Notes and Domino wiki. Please note: A user who has customized their home page prior to the Notes 9.0 Social Edition release will still show that custom homepage in the Notes client. Support for IBM Social Theme Support has been added to the current beta release for the IBM Social theme. This theme provides a new, cleaner, more modern look to the Notes 9.0 Social Edition client. This theme is being adopted across the IBM product line for UI consistency. The new look is implemented as an additional theme available to the end user; choose File - Preferences - Windows and Themes , and select the IBM Social Theme. The end user still has the ability to select any of the other themes, in addition to this new theme.
131
Release Notes
Default preferences have changed Some default preferences have changed in the current release of Notes, as outlined below:
z z
The new IBM Social theme is turned on by default. If you use pop-ups for new mail notification, youll now see an unobtrusive slide-in alert at the bottom of the screen.
To change this default behavior, select File > Preferences > Mail > Sending and Receiving to choose a different option.
z
Email message tabs are automatically closed after you have replied to, or forwarded, an email. To change this default behavior, select File > Preferences > Mail, and uncheck the "Automatically close original e-mail when replying/forwarding" option. Your most recent email messages will now appear first in your Inbox. To change this preference, select File > Preferences > Mail, and uncheck the "Most recent on bottom" option. Notes now processes all meeting updates automatically, and keeps your meetings up-to-date. New meeting notices automatically appear in gray on your calendar, before you accept them. To change this setting, choose File > Preferences > Calendar and To Do > Display > Views, then uncheck the "Display new (unprocessed) notices" option. Notes contacts are set up to synchronize with iNotes and/or mobile devices during replication.
z z z
New keyboard shortcuts Several new keyboard shortcuts and commands are available, that allow you to navigate Notes in a more familiar fashion:
z z z z z
Ctrl+1, 2, 3 - Open Mail, Calendar, or Contacts, respectively, from anywhere in Notes Ctrl+R - Reply to mail or calendar entry Ctrl+Shift+R - Reply to All on mail or calendar entry Ctrl+Alt+V - Paste Special Ctrl+Shift+V - Past as Plain Text
132
Release Notes
Open Mail, Calendar, Contacts, or homepage in one click There are new icons next to the Open button, which you can click to open Mail, Calendar, Contacts, or the Notes homepage. These buttons are available no matter where you are in Notes.
You can choose to hide the buttons as well, by right-clicking and selecting "Hide ____ Shortcut Button." To display a button again, click View > Show Shortcut Buttons , and then select the buttons to show or hide.
133
Release Notes
Use the mini-view to see work at a glance The mini-view allows you to see notices, follow-up messages, or to-do items in the left navigator of your Mail or Calendar view. The mini-view is collapsed by default; simply click the mini-view to open it.
Iberian Portuguese dictionary file available A dictionary file for Iberian Portuguese (pt) is available for installation from the IBM Notes 9.0 Public Beta download site. Mac Cocoa support The Notes Mac Client has been upgraded to support Apple's Cocoa UI rendering libraries. Although the User Experience in almost all cases is unchanged, we are looking for your feedback on anything that appears to work differently or not as expected.
134
Release Notes
New toolbar option A new toolbar menu now includes the option 'Show Toolbar Only When Editing'.
Improved integration with Lotus Protector As part of an improved integraion with Lotus Protector The "Block addresses" action in Notes mail will now present an improved dialog to allow blocking of domains.
Federated login (SAML) Federated login, based on a standard called Security Assertion Markup Language (SAML), extends trust between web sites that act as identity providers to other web sites that are service providers. Depending on how your Domino administrator has implemented federated login, you may be able to re-use your password for certain external web sites that are trusted service providers to your organization. Or, as an example, you can supply your Kerberos password and access a Domino Web Server. Check with your administrator for details on trusted service-provider web sites. This is similar to how Notes Shared Login works, with two main differences: only administrators can control whether federated login is turned on, and federated login works with Citrix. For more information about federated login, please see the Domino Server portion of this document.
135
Release Notes
Granting access to OAuth -compliant Web applications The Domino server can now use a credential store, which is a secure repository for document encryption keys and other tokens necessary for Notes and iNotes client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts. If a Notes or iNotes client user runs the Social Edition OpenSocial component, a credential store provides the following benefits:
z z
iNotes users accessing their mail are protected from cross-site referral forgeries across a cluster. Notes users can authorize a Domino server application to access their resource data on an OAuth-compliant Web site without additional password prompts.
Client users take no action to configure the credential store; it is entirely set up and managed by the Domino administrator. For more information about the credential store, please see the Domino Server portion of this document.
Patches
All patches are posted separately to the download site. See the main Public Beta announcement for instructions on installing them.
Fixes
The items listed as fixed in Notes 9.0 Social Edition are cumulative, and may or may not be included in the currently available beta release. If you can easily test an issue out to confirm, we recommend you do so; otherwise you can request updates on specific SPRs listed in the fix list via the available beta forums. The fix list is available at the following website: http://www-10.lotus.com/ldd/r5fixlist.nsf/Public?OpenView
136
Release Notes
Known issues
This section captures general issues that have the potential to hamper your use of the IBM Notes 9.0 Social Edition Public Beta client, and offers workarounds where possible.
Known issues - Notes client

Windows: Notes client does not restart after NSD is complete On Windows, when the 'FaultRecoveryOnClient' parameter is not added in the notes.ini file (default configuration), the Notes standard client does not restart automatically if the notes2.exe process is killed for the first time, after a fresh Notes installation. As a workaround, manually restart Notes if it crashes after first-time installation. For subsequent crashes, Notes will restart automatically. This issue is being tracked by SPR # SNIR8ZGEBE Windows: Uninstall before installing Notes 9.0 Social Edition If you select to install the 'OpenSocial component' during an upgrade from an early beta release to the Notes 9.0 Social Edition Public Beta, the upgrade will fail. To workaround this issue, uninstall early beta releases of Notes before installing the Notes 9.0 Social Edition Public Beta release. This issue is being tracked by SPR # CLJA92ULC8 Windows: Notes single log-on does not work for 64-bit OS Notes Single Log-on may not work on Windows 7 64-bit, and Windows 8 64-bit OS due to a missing system DLL. If this is the situation, the user will be prompted for a password. As a workaround, place a 64-bit version of the msvcr100.dll file in the \windows\system32 directory and restart the OS. The user will no longer need to log into Notes. This issue is being tracked by SPR # JRBJ8ZLADZ Windows: When installing multi-user, an extra folder may be created When installing the Notes client as multi-user, an extra folder called "Lotus" will be created in the user's home directory, which contains the install log file. This folder can be deleted. This issue is being tracked by SPR # JRBJ92JBJT Windows: Extra directory created when "Shared Logon" is enabled via policy A directory called Lotus Notes is created under 'Users\Admin..\..\Local\IBM\' when Shared LogOn is enabled via policy. This issue does not impact functionality. This issue is being tracked by SPR # DBHA92TF83
137
Release Notes
Windows: File icons may not be updated On Windows XP, after upgrading from Notes 8.5.x to Notes 9.0 Social Edition, the icon for *.ics files, and other files to be opened by Notes, still display with an older, yellow-colored appearance in Windows Explorer; the expected icons should be colored blue. By default, Windows uses icons stored in IchoCache.db to display icons, so file icons will not even though the Notes icon has been changed. As a workaround: 1. Press Ctrl+Alt+Del to start the Task manager - on the "Process" tab, find explorer.exe, and kill it by clicking "End Process". 2. In Task manager, open a DOS command window, type cmd, and click Enter. 3. In the command window, remove IconCache.db by typing del C:\Documents and Settings\<User>\Local Settings\Application Data\IconCache.db /a 4. Restart the system. This issue is being tracked by SPR # FFJJ8ZJAGM Windows: Client may hang when selecting section , if running YouDao dictionary The Notes client may hang when you select a section, if you are running the YouDao dictionary. This issue is being tracked by SPR # YYYY92UBQV Mac OSX: Upgrade from earlier beta release requires uninstallation Notes will fail to launch if you are upgrading from an earlier beta release to the Notes 9.0 Social Edition Public Beta build with 'OpenSocial component' selected As a workaround, before upgrading to Notes 9.0 Social Editon, uninstall the earlier beta social add-on (run sudo ./addonUninstall.sh, which you can find in Notes854_EEAddOn_mac_cd5_prod.dmg) or uninstall Notes completely before upgrading. This issue is being tracked by SPR # XTCN92UCBC Mac OSX: Notes federated login (SAML) may encounter form with no data If you have configured your Notes client for Notes Federated Login on Macintosh, and you start the Notes client, you may be unable to log in for one of two reasons:
z z
If the related IdP is configured as form-based, then the Notes client will display a blank log-in form page with no data, which will prevent you from logging in If the related IdP is configured as Kerberos-based, then the Notes client will hang, preventing you from logging in
As a workaround, the side patch for SPR# KKSS8XNARP, available from the Public Beta download site, can fix this issue. This issue is being tracked by SPR # HFCG8XLEB3
138
Release Notes
Mac OSX: Roaming user may hang exiting Notes client If you are a roaming user on the Mac Notes Client, you many hang when exiting the client if you have the Replication and Sync page open and answer Yes to the prompt about updating the server. As a workaround, close the Replication and Sync tab before exiting the client, or answer No to the "update the server" prompt. This issue is being tracked by SPR # AJAN8XUK6M Mac OSX: Some file types may not be viewable The viewer function that uses KeyView library on Mac does not support spaces in its execution path. In this release, the Mac Notes pathname is "IBM Notes.app", which is also part of KeyView's execution path, and contains a space. Because of this, .ppt, .pptx, .odp, .pps, .sxi, .cgm, .wpg, .pre, .prz, and .sdw files cannot be viewed. This issue is being tracked by SPR # XXFF922BPX Mac OSX: New mail and calendar forms may not accept input After running for 2-3 days, new mail and calendar entry forms will no longer accept keyboard input on Mac 10.8. This issue is being tracked by SPR # GKYU927F22 Linux: Deprecated packages required for Notes client On Linux, the Notes client depends on deprecated packages: libgnomeprint and libgnomeprintui. As a workaround:
z z
On RedHat, configure YUM, and install Notes by using yum -install <Notes rpm> On Ubuntu 10.04/12.04: Ensure internet is connected, and double-click Notes installer(deb) to install it via GUI.
This issue is being tracked by SPR # YYSN895973 Linux: Do not launch Notes as root (Ubuntu) An additional "IBM Notes 9" menu will be added under 'Applications > Office', if a user tries to launch Notes as root. Users should not launch Notes as root, and "Error Code 493: Do not run as root" will be displayed on screen. This use case is not supported by rpm/deb Notes. This issue is being tracked by SPR # SNIR92HCWB Linux: Scroll bar in Java portions may not work On Linux Ubuntu 12.04 (Unity), in Java portions of the Notes client, the prompt line for the scroll bar will display, but cannot be expanded with the mouse pointer. This is a third-party issue which is being tracked by https://bugs.launchpad.net/unity/+bug/890986. As a workaround, use the keyboard or mouse wheel. This issue is being tracked by SPR # YYSN8NFE9P
139
Release Notes
Linux: Order of items in menu bar displays incorrectly On Linux Ubuntu 11.10/12.04 (Unity), the order of items in the menu bar is incorrect when switching focus between different parts of Notes. This is a third-party issue which is being tracked by https://bugs.launchpad.net/bugs/904275. As a workaround, set an environment value for Notes only. Open a terminal, type "export UBUNTU_MENUPROXY=0", then launch Notes by command. This issue is being tracked by SPR # YYSN8NFFT6 Linux: Clicking Notes Document links displays error message This issue was seen using Linux Ubuntu 12.04 (Unity) and RedHat 6.3. When you click on a Notes Document Link, the error dialog: "Notes is not a registered protocol" pops up, and the Notes document can not be opened. This issue is being tracked by SPR # JRBJ8YB5KT Citrix: User cannot launch Notes after reinstall , with custom data location When upgrading to IBM Notes 9.0 Social Edition from a previous version of Notes, on a Citrix server using the MULTIUSERCOMMONDIR property, the previous Lotus\Notes\Data\notes.ini file will be left in the MULTIUSERCOMMONDIR directory. This file will prevent the Notes client from starting for users who have not previously run Notes. The solution is to manually remove this file after the installation finishes. This issue is being tracked by SPR # XTCN92KEQW Calendar: Exporting a repeating meeting as an ICS file then re -importing it may cause a crash There is an issue that affects users who export their Calendar contents as an .ICS file, and then import the contents back into their Calendar; this does not affect normal .ICS file use, such as simply importing new content. Normally when Notes detects that the data in an iCalendar .ICS file already exists in the user's Calendar, Notes will notify the user and ask them if Notes should overwrite the existing entries or not. If the user agrees, the existing calendar entries are removed and the import continues. If the user disagrees, the import does not happen. This behavior has changed - instead of removing the existing documents, and new documents being created, the existing documents are not removed, and Notes can crash. This does not happen on every Notes installation but on installations where it happens once, it will happen consistently. As a workaround, manually remove the entries that are identified by Notes as being duplicates; if they are removed manually, there are no entries for Notes to attempt to remove. Or, avoid reimporting iCalendar entries that already exist on the Notes Calendar. This issue is being tracked by SPR # FFJJ8XND69 Client UI: Open list icons look the same for different themes For the current beta release, the Open list for both the Notes 8 Theme and the IBM Social Theme uses monochromatic icons for all of the items in the default Open list. For the final release, the Notes 8 Theme will display the correctly-colored icons. This issue is being tracked as SPR# DBRO92HJF6
140
Release Notes
Client UI: Mail with DBCS may display incorrectly on Win 7 64-bit Mail containing DBCS characters may display badly on a Windows 7, 64-bit machine. When the font name of the text in a document is incorrect, Notes may not handle the document properly, and displays the text with an incorrect font. This issue is being tracked as SPR# XXFF8ZLC5M Client UI: Toolbars disappear in documents opened for editing There is a known issue where toolbars may disappear in documents that have been opened for editing. As a workaround, click within the document or disable the "Show Toolbars Only When Editing" option from the 'View -> Toolbar' menu. This issue is being tracked as SPR# SLAE92QP2R Client UI: XPages toolbar may not appear in context There is a known problem with the XPages toolbar in the in Notes client. The toolbar does not appear when the "Show Toolbar only when editing" option is selected in Notes. To use the XPages toolbar in Notes, please deselect the menu option "View -> Toolbar -> Show Toolbar only when editing". This issue is being tracked as SPR# EGLN923NXL Client UI: Cannot drag-and-drop to RTF field Dragging-and-dropping a Mail view or Folder to a new mail message does not create the view/folder link in the message. Instead, a prompt is shown to the user with the message "Getting View Information". Clicking 'Yes' on that prompt displays the same message after a short delay, clicking 'No' on the prompt stops it from being shown, but the link is still not created. This issue is being tracked as SPR# HPXG923B7S Instant Messaging : Notes may crash transferring empty folder on Mac OSX In a chat window, if you select an empty folder to send to another user, you will see an 'empty folder' notification message, and Notes may then crash. There is currently no workaround for this issue, so please be sure to send a file instead of an empty folder. This issue is being tracked as SPR# YJLN8WS9MV
141
Release Notes
Instant Messaging : Notes may crash changing contact list font on Mac OSX This issue appears in the following scenario: 1. Launch Notes and log into Sametime 2. Show both the Sametime Contacts panel and the Sametime Primary Contacts panel (display the Primary Contacts using the Classic view). 3. Select Preferences -> Sametime -> Contact List -> Contact List font 4. Change to another font and size, and click OK. 5. The Sametime Contacts panel is refreshed correctly, but the Primary/Recent Contacts panel does not show members at all (the panel is blank, with only an arrow icon) 6. Click the arrow icon in the Primary Contacts panel, or try to display this panel with another view, i.e., switching between Primary/Recent/Frequent Contacts. Notes may then crash or hang, because the Primary Contacts view is not immediately refreshed after the font is reset, and the old fonts have been disposed. As a workaround, reboot Notes. This issue is being tracked as SPR# YJLN8XV3SJ Instant Messaging : Drag-and-Drop issue on Mac OSX On Macintosh OS X, in embedded IBM Sametime, if you drag a person or group from the Contacts panel to the Sametime Primary Contacts panel, Notes may hang and eventually crash. This is more likely to happen if you repeatedly drag items. As a workaround, instead of dragging people to the Sametime Primary Contacts panel, use the menu action by right-clicking on the person and selecting "Add to Primary Contacts." This issue is being tracked by SPR # MLUO8VDAZL Instant Messaging : Business card "sticks" on Mac ("Cocoa" platform) Notes builds with Macintosh "Cocoa" support show a Business Card display issue. When you bring up the Business Card in Notes, for example by hovering over a livename, it typically gets dispersed when you hover away from the card. The problem is now when you switch to another application while the Business Card is still open, it won't be dispersed when you hover away from the card to the other application. To work around this issue, hover away from the card, and back to Notes. Note: to get around similar disposal issues, the BusinessCard was replaced with the old Sametime card in some places. This is just a temporary solution until the disposal issues are resolved. This issue is being tracked by SPR # YYSN8UTG8E Instant Messaging : Video always seen as black screen on Mac ("Cocoa" platform) There is a known issue where video is always seen as a black screen during a 3-way video conference call, when a Macintosh user is the moderator. Sometimes the video will flash and then disappear. As a workaround, set the 'incoming_video_formatting' flag to "none" in the preferences.ini file of the com.ibm.collaboration.realtime.multimedia.phonegrid plugin, at eclipse\plugins\[location for the moderator], and restart Notes. The video will then be seen without any issue. This issue is being tracked by SPR # MLUO8VTCHQ
142
Release Notes
Instant Messaging : Video window in 2-way call restores to original size on Mac ("Cocoa" platform) If a user resizes their video window to a bigger screen, or clicks on full screen, during a video call, and then does a video control operation such as "Mute/Unmute", or "Stop sharing my window/Share my window", the video window restores to its original size. There is currently no workaround for this issue. This issue is being tracked by SPR # MLUO8WTCTR Instant Messaging : Sametime Quick Find and Chinese input method issue on Mac ("Cocoa" platform) There is a known issue in the embedded Sametime Quick Find feature. If you are using the Chinese input method to enter characters, and click the Sametime buddy list before finishing input, it will cause the Notes UI to display incorrectly, and will ultimately crash the client. The workaround is not to do any other operation before finishing inputs to Quick Find with the Chinese input method. This issue is being tracked by SPR # MLUO8V25XA Discussion app: All Documents view not correctly rendered The All Documents view may render incorrectly, making it difficult to click on document links. This issue is being tracked by SPR # LHEY8WDHW Discussion app: Navigating back to main view (mobile) may not work Navigation back to the main view on a mobile device does not work after deleting a reply document. This issue is being tracked by SPR # LHEY8XFLL Teamroom app: Status Reports view (mobile) may cause runtime error The Status Reports view on a mobile device may cause a runtime exception, as it tries to resolve an unknown column reference. This issue is being tracked by SPR # LHEY8XFLG9 Teamroom app: Send to Reviewers not working The "Send to Reviewers" email notification may not work in the current TeamRoom template. This issue is being tracked by SPR # LHEY8XGGLG Teamroom app: Anonymous user sees exception when opening a document An anonymous user may see a "HTTP Web Server: Item Not Found Exception" message when opening a document. This issue is being tracked by SPR # LHEY8WSDCU
143
Release Notes
Teamroom & Discussion app: View caching issue affecting mobile template use Page handling on page transitions may not be functioning correctly, making the mobile templates very difficult to use. This issue is being tracked by SPR # LHEY8W2FUC Teamroom & Discussion app: Dojo 1.7.2 upgrade may affect tag cloud An upgrade to Dojo 1.7.2 resulted in the tag clouds being broken in the Teamroom and Discussion application templates. This issue is being tracked by SPR # DEGN8RHJRX Replication: Automatic replication start may not work Replication may not be started automatically on Notes start up, even when the preference is enabled. Replication will start when users open Notes content such as Notes Mail, Calendar, a Notes Application, or the sidebar Day-at-a-glance. This issue is being tracked by SPR # JSKR8Y59H6 Search: Pressing "delete" may not delete characters in the 'Find' dialog When the Chinese input method is enabled, some Notes views will see the following issue. If you type "Shift -", there is a "" displayed in the 'Find' dialog; trying to clear it using the Delete key is unsuccessful. As a workaround, press the Delete key again; on Mac, use the "delete" key on the keypad. This issue is being tracked by SPR # YYSN92N5WD Search: Closing 'Find' dialog may not work correctly When the Chinese input method is enabled, typing "Shift -", then seeing "" displayed in the Find dialog, clicking the Close button will trigger the Find dialog again, on Windows machines. On Mac, this may actually break the Find dialog itself, for some Notes views. For example, switching to a basic Notes view while the Find dialog is still open, and then attempting to close the dialog by clicking on the Close button or the X for the window, will disable the Find dialog for any basic Notes view again. To workaround this issue, open a document and press "Command+F" to bring up a Find dialog, then switch back to a basic Notes view, and Find will start to work again. This issue is being tracked by SPR # YYSN92N5PA Search: Quick Find may not display some names The Quick Find feature is expected to search for both Notes addresses (John Acme/US/IBM) and internet mail address (jacme@ibm.com), for the same contact. In the current release, Quick Find only shows the Notes address for a contact. There is currently no workaround for this issue. This issue is being tracked by SPR # JHYI8V8S6R
144
Release Notes
Known issues - Notes Browser Plugin

Upgrade from earlier releases not recommended If you try to upgrade or uninstall earlier code drop releases of the Notes Standard client which included a Browser Plugin XPI file for Firefox, that XPI is not removed. This will cause multiple, enabled versions of the Notes Browser Plug-in in Firefox. Workaround - It is recommended that users uninstall existing installations, clean up the installation folders, and disable and remove Firefox browser plugin add-ons before installing Notes 9.0 Social Edition. It is also recommended that users delete the 'Notes Applications' folder from Browser Bookmarks in Firefox, and from Browser Favorites in Internet Explorer. Install Notes 9.0 Social Edition Public Beta in a clean environment; do not upgrade from a previous installation. This issue is being tracked by SPR # APAR92BDWV, MLAT92DCD2 Bookmarks folders may be deleted , using IE On Windows 7 or 8, if you install the Notes Browser Plug-in and use Internet Explorer 9 or 10, bookmarks created under "Notes Applications -> Favorite Bookmarks", or "Notes Applications -> [Personal folder]' are lost when the browser relaunches. This issue was not observed with Firefox browsers; also, this issue is not observed if the bookmarks are created using a Notes Standard client. This issue is being tracked by SPR # VPEU92AEEV and VPEU92ACHR Link will not open in Notes Browser Plug -in (iNotes) On Windows 8, with Internet Explorer 10, when using iNotes, clicking on a link will not open inside the Notes Browser Plug-in. You will need to right-click on the link and select "Open in a new tab". This issue is being tracked by SPR # JVSE8YS8XR Unable to close tab or create bookmark with shortcut (Windows 8) On Windows 8, with Internet Explorer 10, you will be unable to close the IE 10 tabs using Ctrl+W, though you can close tabs using ESC. In addition, if you open a Discussion application and use Ctrl+D to create a bookmark, the Bookmark window is not opened. As a workaround, ensure that you manually set the window focus before trying to use Ctrl+W or Ctrl+D as described. This issue is being tracked by SPR # ASBN8ZJG4S
145
Release Notes
Known issues - iNotes

iNotes: Calendar issues
z z
On Firefox, Safari and Chrome, an error may be encountered if a draft calendar entry with no invitees is saved and reopened (YJSI8XLDLG) A user added to an existing meeting as Optional or FYI may not see the other meeting invitees on the meeting invitation. The other invitees will be displayed once the invitation is accepted (MCHN8XGC8X) On a new calendar event, a time entered by typing in the value rather than using the timepicker may not be preserved once the event is saved or the invitation is sent (SANR8XNPLP) Adding and removing a room and resource to an existing meeting in a single update may result in the resource not being removed from the meeting update (SANR8XVMYS) If an invitee declines an invitation to attend a repeating meeting invitation, they cannot re-open that invitation at a later time to accept; they will see the error message: "A problem has occurred which may have caused the current operation to fail". If the invitee picks 'Decline but keep informed of updates' then updates from the chair will still work. (YJSI92A8XK) When a Chair sends out a meeting request to 2 or more invitees who accept, if one of the invitees then couterproposes a new time and the Chair accepts the counterproposal, invitees will not receive reschedule notices (GKLA92FMTB) When a Chair sends out a meeting request to one or more invitees, then performs an update to the meeting like changing the location or a category, the "Private" setting on a meeting can be lost. This means that a delegated user may now see entry contents which may not be intended. (SANR8YVJ6S) Users are unable to change the date on a weekly repeating reminder; each time you try and save it, the reminder changes back to the original time. (GKLA8ZZ4VH)
z z z
iNotes: OpenSocial issues

z
Some web widgets might not be able to render in a tab, sidebar, or floating window, as these areas use iframes. Any web page that is not allowed to be rendered in an iframe will not be able to render in these areas. Web widgets will be able to render if you open them in a new window. Web widgets that are created from web forms will not be supported in iNotes When deploying OpenSocial, a user could lose widget data if: 1) The user's mail is a replica that saves space using a custom selection formula rather than the Remove documents not modified in the last N days option; and 2) the user or server's automatic widget update has not performed any data changes for the user in a time period that exceeds the custom selection formula criteria. Live text does not work when opening an email message in a new window.
z z
146
Release Notes
Domino Designer
Purpose of this Public Beta
Introduction
The purpose of this Public Beta is to demonstrate new aspects of IBM Domino Designer and some of its related tools, and to collect feedback on specific aspects of the Domino Designer product.
The identity of the current release of Notes and Domino has changed from "8.5.4" and "8.5.4 Social Edition" to "Domino Designer 9.0 Social Edition." The term "9.0 Social Edition" refers to the overall release, and not a particular component or feature. This change will be visible in several areas of the product, such as splash screens, Help/About screens, install panels, and consoles. The add-on install packages for Notes and Domino that were previously called "Social Edition" have been renamed to "Domino Social Edition Embedded Experiences Add-On," and the Notes Application Plug-in has been renamed to "IBM Notes Browser Plug-in".
A note about re-naming the current Notes and Domino release
Installation procedures for Domino Designer

IMPORTANT: For users with 8.5.3 and 8.5.3 Upgrade Pack 1 (UP1) installed: You must first uninstall Upgrade Pack 1, before installing this Public Beta build. If you are upgrading from 8.5.3 with 8.5.3 Upgrade Pack 1 installed, the Notes installer can fail with the following error:
The log file will also contain the following information: 15:13:16.7342SEVERE CWPPR0067E: The install request for feature com.ibm.xsp.extlib.feature conflicts with another request for the same feature. IMPORTANT for users with any previous installations of any OpenNTF Extension Library - You must UNINSTALL any OpenNTF Extension Library that you may have installed in the Notes client BEFORE you install the Social Edition Beta. IMPORTANT for other users : Before installing this Public Beta software , you must first uninstall your existing Notes version . You cannot upgrade from an existing Notes version to this Public Beta code. The following installation information is provided in this section to assist you in using Domino Designer for this Public Beta,
147
Release Notes
Software requirements
Prerequisite software (IBM Domino Server and IBM Notes client)

To install and use the Public Beta version of Domino Designer you must first obtain and install the following software: Important: To make sure that all software licensing agreements are met correctly, make sure that you install the prerequisite software pieces in the following order:
z
the Public Beta version of the Domino server https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-ldnext beta the Public Beta version of the Notes client https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-ldnext beta
Installing Domino Designer The Notes client supplied for this early release should be installed on a non-production system as upgrade and downgrade testing has not been emphasized for this early release. It is recommended that you do a clean install and specify the default file path (for example, C:\Program Files\IBM\Lotus\Notes). Note: Be sure that the target directory is new and empty; do not specify an existing folder. You must specify a new and empty directory in response to this prompt. This is the directory in which the additional files, or framework, that are part of IBM Notes.Next Beta but not part of traditional Notes, are installed.
z z z
Start the Installer. Read the preview screen for installation directory, features, and size - make sure that you choose Domino Designer as one of the features you wish to have installed. Click Install.
Note: This process may take several minutes.
Patches
All patches are posted on the download site. See the main Public Beta announcement for instructions on installing them.

An older version of the Domino Designer Help is provided with the Public Beta. Public Beta focus features are documented in this Features Documentation - not in the product help. For additional help and information on features, refer also to the following Eclipse help plugins and additional documentation shipped with this Public Beta: z IBM Domino Designer Basic User Guide and Reference z IBM Domino Designer User Guide z IBM Domino Designer XPages Reference
Known documentation issues

z
You may see discrepancies between the Domino Designer interface and what is actually documented in some of the documentation plugins and Public Beta documentation.
148
Release Notes
Features and enhancements

Domino Designer
For Domino Designer, the following features, additions or changes have been included in this Public Beta:
Domino Designer Performance Tech Note

The Domino Designer team recently released the following performance-related Tech Note: http://www-01.ibm.com/support/docview.wss?uid=swg21617708 This tech note was published to help resolve several Domino Designer hang issues which have been reported. It is asked that users who have 2GB (or more) of System RAM apply these settings to the Domino Designer 9.0 Social Edition Beta.
Source Control Documentation - URL Correction

The Source Control section of the current Domino Designer User Guide in the product documentation provides an expired URL for installing source control components found in Subversive-incubation-0.7.9.I20100512-1900.zip. If you attempt to install using the current provided URL, provisioning will fail due to an attempt to access an obsolete web site for the GEF editor support. The new correct link which contains all of the necessary features and plugins to enable Source Control is the following: http://www.openntf.org/internal/home.nsf/project.xsp?action=openDocument&name=Subversion%20Upd ateSite%20for%20Domino%20Designer
Server-Side JavaScript (SSJS) Debugger

With the introduction of the Server-Side JavaScript (SSJS) Debugger in Domino Designer, it is now possible to debug against either the Domino Designer local preview server or against a Domino server. A "Debug IBM Domino Designer JavaScript" toolbar button has been added to the main toolbar along with corresponding menu items to make it easy to set up and use this feature.
149
Release Notes
The toolbar button is always available in the Domino Designer, XPages, Debug, Java, Plug-in development and Resources perspectives. It is hidden by default in all other perspectives. The button serves as a clickable button, or as a drop down menu button. Clicking on the actual toolbar button will have one of two effects:
z
If a Server Side JavaScript Debug Configuration does not exist, and a Remote Java Application Debug Configuration does not exist; then a new Server Side JavaScript Debug Configuration will be created, and will be selected in the "Debug Configurations" dialog. If a debug configuration already exists then the last run configuration will be launched, without the Debug Configurations dialog being surfaced.
Clicking on the drop down arrow will reveal a sub menu. If there are no debug configurations in the current workspace, then the "Manage Debug Configurations" menu item will be the only one available.
150
Release Notes
Selecting this menu item launches the Debug Configurations dialog and automatically creates a Domino Designer JavaScript Configuration:
151
Release Notes
The configuration UI has been updated to contain specific details on how to configure a server so that it can be debugged. The relevant text is selectable:
If debug configurations already exists then the drop down menu item will show those configurations:
152
Release Notes
The configurations appear in a particular order:

z z z
First - any/all of the Server Side JavaScript configurations will appear (alphabetized). Second - any/all Remote Java Application debug configurations will appear (alphabetized). Last - the Manage Debug Configurations.. menu item will be available.
Clicking on any of the configurations in the list will cause that configuration to be launched without the Debug Configuration dialog being invoked. Pressing the Manage Debug Configurations... menu item will cause the Debug Configurations dialog to be launched and the first configuration in the list will be selected automatically. Error cases In any case where the configuration fails to establish a debug connection with the server/preview server, an error dialog will be presented explaining what has happened, and how the server needs to be configured to establish debug connections (note the configuration text is also selectable in this dialog):
153
Release Notes
Setting breakpoints for use with the debugger

The SSJS syntax supports the "debugger " keyword to use for setting breakpoints. To use this keyword in debugging, place the keyword in your script wherever you want to add a static breakpoint. When in debug mode with the debugger connected, the engine suspends on the keyword until the debugger takes some actions to tell the engine to resume (for example, "Continue" is pressed, the debugger is disconnected, and so on.) Note: When the engine is not running in debug mode, the keywords have no effect. The "debugger " keyword used with this feature is NOT backwards compatible and will not work if on application is hosted on an earlier version of the server (versions prior to IBM Domino 9.0 Social Edition Beta). This keyword acts as a static breakpoint within the Server Side JavaScript code when the server/application is running in debug mode. Using the keyword will not cause a problem within an XPages application at design time, but the application will have runtime issues when executed on an earlier version of the server. You can also set breakpoints in either the XPage editor in the Source tab, or in the Script Editor. You can set a breakpoint by double-clicking in the left editor vertical ruler. The following example shows a breakpoint in a script library:
Breakpoint locations are not validated in Designer, so be careful to make sure you are placing a breakpoint on an executable line of code.
Conditional Breakpoints
It is possible to create a Boolean condition which will be evaluated dynamically during debugging to determine whether to stop at the given breakpoint. To set a breakpoint condition, right-click a break point, and choose "Breakpoint Properties..." to bring up its property dialog. The expression will be evaluated in the context of the executing JavaScript at the location of the breakpoint, and should evaluate to a Boolean. A true value means the execution will stop at the breakpoint. The editor for the condition is a plain text field; there is no JavaScript syntax checking or highlighting. Be careful to enter valid JavaScript, otherwise the breakpoint will be ignored (will not stop).
154
Release Notes
Starting the debugging process

Once you have the server running in debug mode, and the configuration defined, you can now start to debug your code. Use the following steps to begin the debugging process:
z
If your application is not yet open in the Application view, open it now. Otherwise, Designer will not be able to open the actual design element editors when displaying code - it will display a 'stub' editor (with the title "Debug Editor"). It is not necessary to open any of the design elements in an editor, it is enough to simply expand the application in the view. If the debugger opens an editor with the title "Debug Editor", this means it was unable to open the design element, you should first check that the application is open in the Applications view. If you have the Configuration dialog still open, click the "Debug" button. Note: You can open the dialog again using "Debug IBM Domino Designer JavaScript" - > "Manage Debug Configurations..." menu item or toolbar item. Once a connection with the target server is successfully made a status message will be displayed in the status bar ("Debug connection successfully created using [server] on port [port number]"):
z z
Once connected, run your application (for example, open a page from the browser). If the application suspends, your browser will wait, while Designer displays where the application execution is suspended along with the values of all of the relevant variables.
A look at the Editor and Debugger views

The following describes the various elements of the Eclipse debugger that display SSJS artifacts during a SSJS debugging session:
z z
Debug (stack frame) View - This view tab shows the current stack frame. The Java stack is also shown, though this is not important to debugging SSJS. Instruction Pointer annotations in the editor (arrow and highlighted instruction) - When stopped at a breakpoint, the editor for the SSJS that is currently suspended is opened and the related instruction pointer annotations appear. When opening the XPages editor, the source tab is automatically brought to focus. An arrow in the left margin of the editor indicates where the execution of the code is suspended and the line of the currently executing SSJS is selected. Variables View - This view tab displays the currently defined variables and any values they may have at the time of the suspension (or "undefined" if no value is assigned).
155
Release Notes
You may end your debugging session by pressing the "Terminate" toolbar button in the Debug view:
You may terminate your debug session at any time, and may optionally restart debugging using the steps above at any time. Only one user may debug a server at one time.
Property for Using Uncompressed Dojo Resources for Debugging

This release provides a public property in the xsp.properties file called "xsp.client.script.uncompressed" that can be edited and set to "true" to enable easier debugging with uncompressed resources. Selecting the "Use uncompressed resource files (CSS & Dojo)" check box in the XPage Properties Editor - Performance Properties tab of your application also enables this feature. The check box will edit this line in the xsp.properties file as follows: xsp.client.resources.uncompressed=true When set to true, this property allows Dojo resources to be served up "uncompressed" with all the indentation, spaces, variable names and comments so that you can thoroughly debug your application. In a production environment, this property should be set to "false" to maximize application performance. Technically, the uncompressed version of the resources is served up by a different library. You must have two libraries registered (for example, 1.7.2 for the compressed version and 1.7.2-u for the uncompressed version). The last version mentioned (1.7.2-u) is then only used if the property is set to "true." The property is not present by default, which is equivalent to setting the property to "false".
156
Release Notes
Home page
The Home page QuickLinks tab contains a list of working sets, as well as basics tasks, links to additional information, and a tip that refreshes each time the Home page refreshes. The remaining tabs on the Home page include snippets of information to help new users and upgrading users, and provides links to the documentation for more information. You can close the Home page at any time. To reopen it, choose Help > Home.
Applications not in Working Set

Domino Designer users use working sets to filter the contents of the Applications Navigator view. Working sets let you group applications into categories, which in turn let you view only applications in a specific working set or in multiple working sets at once. This lets you organize and clean up the Applications Navigator so you can focus/view a subset of the applications which you have in the Applications Navigator. Unfortunately, an issue in this area has always been that it was difficult to determine which applications were NOT contained in any working set. For this release, a new functionality is being added that lets you view all of the applications in Domino Designer which are not stored in a working set. This is very similar to the "Other Projects" working set which is available in the Java Package Explorer view. You can find this functionality in the Designer interface in two locations
z z
Domino Designer Home Page Applications Navigator working set toolbar drop down menu
On the Home Page, Domino Designer checks if all of the applications contained within the Applications Navigator are contained within a Working Set. If it is determined that one or more applications are not contained within one or more working sets then Designer reloads the Home Page. During that process it then adds a new "Applications Not in a Working Set" list item to the Home Page. From the Applications Navigator, when you click on the menu button, Domino Designer determines if any of the applications are not in a working set. If it determines that one or more are not, then the newly added "Applications Not in a Working Set" menu item is enabled. Conversely, the same menu item will be disabled if all applications are organized in working sets or if there are no working sets (in which case all applications are not in a working set). When the "Applications Not in a Working Set" feature is enabled, the Applications Navigator only shows applications which are not currently in a working set. The title bar of the Applications Navigator changes to say "Other" and the tool tip will read "Applications Not in a Working Set.". You can add applications which are not currently contained in a working set to a working set. If it is the case that all applications that were not contained in a working set are then added to working sets while "Applications Not in a Working Set" is enabled, the Applications Navigator appears empty and the Home Page is reloaded. This time, however, the "Applications Not in a Working Set" item will not be visible and the "Applications Not in a Working Set" menu item in the Applications Navigator menu will be checked but disabled.
157
Release Notes
Content Assist within the XPages Source Editor

This release introduces new content assist functionality in the XPages source editor. This functionality lets you use content assist when working in 'source mode' in an XPage. Similar to other Eclipse editors, pressing CTRL+SPACE will activate the content assist functionality. Content assist within Eclipse's XML editor (and the XPages source editor) is driven through the use of a schema. Domino Designer dynamically builds a schema based on the current Notes application. The schema contains help information for each attribute of each tag within the XPages runtime. The content assist functionality is enabled by default within the XPages source editor. Users may disable content assist in the source editor via the XPages Editor preferences. The "Enable content assist on tag names in source editor" option allows users to disable/enable this functionality:
If you already have existing XPages, you must add a new control to the XPage (via drag and drop from the Controls Palette) in order to enable the new content assist functionality. For this release, content assist only works within tags - that is, it can only be used to autocomplete attribute names within tags.
158
Release Notes
XPages Source Editor Hyperlink Navigation

For this release of Domino Designer, the XPages Source Editor supports hyperlink navigation. Hyperlink navigation describes generic Eclipse functionality where text within an editor can be made into a hyperlink. By pressing on CTRL and hovering over text within any editor in Eclipse, Eclipse provides feedback to the editor that the user is trying to perform hyperlink navigation. Each editor may opt into hyperlink navigation, by providing a hyperlink object(s) for the region under the cursor. For this release, the XPages source editor now has the ability use this functionality. The functionality is always on with no current option or preference to disable it. Support for hyperlink navigation is also provided on a control by control basis. Hyperlink navigation is only applicable to certain controls, and in most cases only to certain attributes on certain controls. Consider using this feature while editing custom controls. When you press CTRL and hover over a Custom Control in the source editor, hyperlink navigation lets you navigate directly to that Custom Control. For example:
159
Release Notes
Hovering over xpCGIVariables.jss and clicking on the resulting hyperlink in the above example opens the following selected desig
Hyperlink navigation lets you open several different types of design elements based on the value of a control (in the case of custom controls) or based on the value of an attribute (in all other cases).
160
Release Notes
XPages Source Editor Hover Help

Eclipse currently provides a simple framework for allowing editors to provide "hover help" based on where your cursor is when hovering within an editor. One example of this is the hover help in the Eclipse Java editor. By hovering over a particular Java construct while in the editor, the editor is able provide additional information on that construct. In Domino Designer, the LotusScript editor currently provides solid hover help support for items within the LS editor. For this release, you will now also have the ability to get this help in the XPages source editor. With this feature, you can get information about the 'node' that is currently being hovered over. Similar to the new hyperlink navigation (see above), the Eclipse editor framework provides positioning information to the hover help layer, which can be interpreted and resolved back to a DOM node within the XPage. Once the DOM node is resolved, the editor is able to provide a description for the current tag (and attribute). All tags and attributes that provide a description for themselves via xsp-config are able to have that information made visible in the hover help functionality within the XPages source editor. The functionality is controlled using a preference within the Domino Designer Preferences tab. The feature is turned on by default, with a time-out of 500 milliseconds associated with the preference. That is, once the cursor has been 'at rest' for greater than 500 ms (milliseconds) the Eclipse editor framework will invoke the XPages source editor hover help functionality. At that point the XPages hover help functionality calculates which node the cursor is hovering over. Based on the node information, the functionality resolves the node against the XPages registry and retrieves a description for the node. The feature is also designed to work with the 'this.attribute' notation which is used extensively within XPages. The hover help information takes the following form in the help window if it is hovering over a tag (and not an attribute): Tag Display Name (tagName) Description: If the cursor is hovering over an attribute of a tag the help takes the following form in the help window: Tag Display Name (tagName) Description: Attribute Display Name (attributeName) Attribute Description : As mentioned, the information is pulled from the XPages registry, so this functionality works with all tags not just core XPages controls. Finally, pressing F2 while the hover help is displaying sends focus to the hover help window which let you resize the window.
XPages Editor Memory Management Improvements

For this release, memory management improvements have been made in Domino Designer specifically in the area of the XPages editor. Certain previously identified memory leaks have been investigated and fixed. In the past, these leaks would typically surface when editing large complex XPages (i.e., XPages containing several complex design elements) with many control visualizations. These leaks would then lead to a "Java Out Of Memory" exception and cause Domino Designer to crash.
161
Release Notes
Palette State Saving

For this release, the XPages editor's palette now remembers its state from one XPage to the next. It also remembers states between sessions of Domino Designer.
Send Mail Simple Action

XPages Simple Actions allow you to perform a pre-programmed activity that can be modified by arguments. Simple actions apply to event handlers and can be grouped. For this release a new Send Mail simple action has been added to let send an email from an XPages application more easily. It also lets you send emails that can participate in the Notes/Open Social Embedded Experience. Use the following steps to use this simple action with a control:
z z z z z z z
Put focus on a control to handle a control event or put focus outside all controls to handle a page event. Click the Events tab. In the left pane, select the event to be handled. In the middle pane, click the Server tab. Click Simple Actions. Add the single action as follows: Select the Send Email simple action. Specify the simple action and its properties, and click OK.
The following properties are available for this action:
162
Release Notes
The Basics Tab

The following properties are available on this tab:
Argument
Description
Send Mail From To Cc Bcc Subject Body (HTML) Body (Plain text)
Send Mail action sends a mail and optionally embeds content in the mail The sender of the email Comma separated list specifying the addresses of the recipients to receive the email Comma separated list specifying the addresses of the recipients to receive a copy of the email Comma separated list specifying the addresses of the recipients to receive a blind copy of the email The subject of the email HTML for the body of the email Plain text for the body of the email
163
Release Notes
The Delivery Options Tab

Delivery options let you specify special actions on the email as such:
Argument
Description
Importance Delivery Priority Prevent copying Mark subject confidential
The importance flag for the email (possible values: Low, Normal, High) The delivery priority for the email (possible values: None, Only on failure, Confirm delivery, Trace entire path) Boolean value specifying whether to prevent recipients from copying the email Boolean value specifying whether to add a Confidential prefix to the email subject
164
Release Notes
Embedded Experience tab

The Embedded Experience tab allows the email to interact/participate in an OpenSocial container. The Embedded Experience tab is used to specify attributes which will cause the resulting email to display its contents as an embedded experience when the email is opened in an email client (such as the IBM Notes Social Edition) which support OpenSocial and Embedded Experiences.
The following properties are available for this tab. The arguments made available depend on the choice you make for a format. Selecting the JSON format results in JSON data being generated by the XPages runtime for the Embedded Experience.
165
Release Notes
JSON:
Selecting the XML format results in XML data being generated by the XPages runtime for the Embedded Experience.
166
Release Notes
XML:
Arguments
Description
Format Gadget URL Gadget context parameters HTML URL
The format of the data which is generated by the XPages runtime for the Embedded Experience OpenSocial gadget URL to use as a part of the embedded experience The context to be passed to the embedded experience. This is a key value pair. HTML URL to use as a part of the embedded experience with optional parameters, for example: http://myco.com/myxpage.xsp?param1=value1&param2=value2
167
Release Notes
JSON (Advanced)
The Embedded JSON field allows the application developer to enter RAW JSON data which is to be used in the embedded experience.
168
Release Notes
XML Advanced
The Embedded XML field allows the application developer to enter RAW XML data which is to be used in the embedded experience.
Detection of Content Types & Editable Content Type Field

All contributed XPages contents types are now detected by Domino Designer. The content type field for computed fields and view columns is now editable. When developing XPages, the content type field for the Computed Field control and for View Columns was formerly read only. This was not acceptable as developers may want to contribute their own content types. With this new functionality all contributed XPages Content Types will be displayed in a drop down in the UI. XPages developers can select from one of the predefined content types in the combo box, or alternatively may simply type the ID (name) of the content type into the editable field.
169
Release Notes
Support of converters added to the XPages Checkbox control

For this release, the XPages Checkbox control now accepts converters.
Boolean converters added to controls that accept converters

Domino Designer now allows the Boolean converter to be added as a converter on any XPage control that supports converters. The Boolean converter lets values saved through an XPage be stored within the data source as Boolean objects, as opposed to strings. The following example shows the properties for a Boolean converter used in an Edit Box control:
The Boolean Converter allows the application developer to store a Boolean object of TRUE or FALSE in the data store as opposed to their corresponding string alternatives.
XPages Control Properties Have Been Added to Support HTML 5 Attributes

To address requests for changes allow greater flexibility in using HTML 5 attributes, the attrs property has been added to most XPages controls, the XPages StyleSheet, and other client-side Resource objects. The attrs property allows an "Attribute List" to be specified where each Attribute has a name and a value and appears as an HTML attribute in the main HTML element corresponding to the XPages control. The following additional changes were made to address this issue:
z z z
New rowAttrs property was added to the View Panel, File Download, and Repeat controls. New Panel control tagName property was added as support for the proposed new container HTML elements. New Edit Box control type property was added, with runtime checking preventing type="checkbox" or any of the older HTML 4 types.
170
Release Notes
PNG File Support for Image Resources

For this release, you now have the ability to import PNG files into Designer as image resources. This file type is now a selection choice in the Image type combo box. This ability lets you use PNG files in places where image resources are used (for example, XPages, forms, views, outlines, etc)
Domino Designer Preferences Changes

The following changes have been made to Domino Designer preferences:
z z z z z
XPages is now its own Preferences category Extension Library and Palette Preferences have been added under the XPages category "Show line breaks in editor" preference is now "Show line breaks in design editor" as it refers to the source editor Bubble help preferences and hover help preferences were moved from the Domino Designer preferences panel to the XPages panel/XPages Editor group. New checkboxes and some associated timers for hover help and content assist were added to the XPages panel/XPages Editor group. The timer controls are for hover help only and will be grayed out if the checkbox is unchecked. A new preference lets the user turn auto-indenting on or off in the LotusScript editor, it is located in the General section of the LotusScript Editor Preferences tab. The current default value is that this feature is enabled.
"Close Application" Applications' Navigator Menu Option

For this release, you can now manually close applications which are open in the Domino Designer Applications navigator. To access this functionality, a new context menu item has been added to the Applications Navigator which lets you manually close an application which was previously opened in the Applications Navigator:
This new context menu item is only enabled when an Application is selected, and the same application is
171
Release Notes
already open. The menu item will be disabled when a node in the design element tree is selected. For example, you can see below that a view design element is selected in the active application so the Close Application option is currently disabled.
When selected, the Close Application menu item will close the currently selected application along with closing all design elements from that application that are currently open.
JAR design element

A new JAR design element has been introduced in this release. The JAR design element gives you the ability to work with packaged Java code/libraries that are included in the application NSF. This design element is only available to XPage applications, where the JAR is automatically loaded by the XPages runtime. This feature frees you from having to deploy the JARS to a server and/or include the source files uniquely in the application database. While JAR files can be added to the NSF through the virtual system, the JAR design element automatically manages the classpath and places the JAR file into web-inf/lib, which is the recommended location for JAR files used in a J2EE application.
172
Release Notes
The JAR design element is found in the Application Navigator under Code, right next to the Java element.
Creating a JAR element

You create a JAR element using steps similar to that of creating an image resource - in other words, the JAR is imported into the application rather than creating it new. The design element list panel has an Import JAR button that lets you select and import the desired JAR file. For example:
There is no need for JARS to have aliases and, as such, they are not supported. The design list for JAR is fairly simple and identical to that for files, with the exception that the Alias column is removed. As the size information of a JAR could be needed, that is included as a Bytes column. Finally, all the New menus have entries for this new element in the list of design elements as well.
173
Release Notes
From any of the various ways to create a JAR, you are presented with the following standard Eclipse dialog to choose a file, with the list filtered to include jars. You then select the JAR(s) you need, press Save, and the JAR is then imported into the application.
174
Release Notes
When a JAR file is in an application, it is physically present as a single note. The Application Navigator shows it under Code/Jars, which is where you can most easily work with it. J2EE applications, however, expect JAR files to reside under web-inf/lib, so there is an additional virtual projection of the same note to that location as well. This example presents a look at how that would appear in the Eclipse general navigator:
In the above example, the file jsdk.jar appears twice, but it is actually in the NSF only once. This is done to allow ease of use while maintaining proper web application structure. Just as with other file design elements, an Export function is also available and JARS can be signed with the Sign action.
175
Release Notes
The classpath is adjusted for each JAR in the NSF, so any design time compilations can resolve any references to the jar. The changes to .classpath are not persisted to disk, so that older versions of Designer do not malfunction.
Runtime Considerations
At runtime, the JAR note is expanded into the XPage runtime file system under web-inf/lib, and is available to server JS on an XPage, as well as any Java class referenced in that environment.
Launch Option to Run Server -Based XPages Applications Directly on a Domino server
XPages applications on the Notes client face performance challenges when running applications that reside on remote Domino servers. This occurs because many network transactions must be carried out when executing the XPages application in the Notes client. Because XPages Notes applications run in the local Notes XPD web container, all of the XPages Java classes (XPages and custom controls) must be copied across the network from the remote server to the Notes client to be executed. Similarly, all page resources (CSS, JavaScript, GIFs, etc.) must be fetched from the remote server, as well as the actual data documents. Moreover, if your XPages application leverages other Notes design artifacts (for example, using the computeWithForm feature), then large design elements like forms, subforms, shared fields and so forth must also be fetched remotely. On high latency networks, this can have significant performance impacts, particularly if your application has been designed primarily for the web and not optimized for the Notes client. A new Domino Designer launch option now lets you avoid this situation. The new Notes client launch option is called "Run server-based XPages applications directly on Domino server ." When this option is checked and the application is launched by a Notes user, the XPages runtime is requested to run the application on the Domino server over HTTP. This launch option lets you request that remote applications be run on the Domino HTTP server - just as they are for the web user - and displayed in the Notes XPages container. The advantage to this approach is that a lot of network transactions are eliminated to improve performance. For this request to be honored, a number of conditions must be in place. Primarily, the user must have a Notes HTTP account set up. These accounts can be set up directly on the Notes client or remotely on the Domino server and then provisioned to the Notes client. To create or view Notes accounts select File > Preferences > Accounts in Notes. In attempting to honor the request to the XPages application on Domino, XPages iterates through all the Notes accounts defined in the Notes client installation until it finds an HTTP account that matches the name of the server where the application resides. Once those criteria are met then a Domino XPages URL is constructed and the request is sent to the Domino server and the application then loads in the Notes client. If a matching account is not found or if the request to the server cannot be serviced (e.g. some other incorrect account detail) then you will be prompted to close the application window or to revert to running the application using the local Notes web container.
176
Release Notes
The Notes Accounts framework and the underlying XULRunner browser automatically passes the user credentials to the web server for automatic authentication. Thus the user should not be challenged for authentication. If you are prompted for user name and password then the runtime Notes/Domino configuration is not correctly set up (for example, incorrectly configured Domino SSO). However, you should be able to verify this independently of XPages by simply entering a URL to the application via the Notes browser address widget on the Notes toolbar. When running an application on the Domino server within the Notes client, all custom Notes functionality should function as it does when running in native XPages mode. For example, context menus should behave the same (File > Save, File > Replication, Open in Designer, etc), "dirty" document save, client-side JavaScript functions. etc). One exception is that composite applications will not be able to utilize client property broker functionality when running on the server. You can also bypass setting this option in Domino Designer by setting a NOTES.INI feature, as follows: XPagesRunRemoteAppsOnServer=1 This setting will be applied to all XPages applications, not individual applications.
XPages / Programmability
New Calendaring and Scheduling (C&S) back end classes
For this release, a framework and first set of methods will be available for a Java API exposing Domino calendar and scheduling functionality. These provide the ability to create, read, update, and remove calendar data in a personal mailfile using standardized iCalendar (RFC 5545) data format. They also allow explicit calendar actions on calendar entries and notices (accept, decline, cancel, etc). Note: iCalendar allows for the capture and exchange of information normally stored within a calendaring and scheduling application; such as a Personal Information Manager (PIM) or a Group-Scheduling application product. The iCalendar format is suitable as an exchange format between applications or systems. The format is defined in terms of a MIME content type. This lets the object to be exchanged use several transports, including but not limited to SMTP, HTTP, a file system, desktop interactive protocols such as the use of a memory-based clipboard or drag/drop interactions, point-to-point asynchronous communication, wired-network transport, or some form of unwired transport such as infrared. The purpose of these initial classes and methods is to provide a basis for exploring development possibilities and for building small, simple calendar and scheduling prototype applications without needing to be fully versed in the internals of Notes Calendar and Scheduling. Note on additional documentation : The XPages JavaScript reference includes documentation for the new NotesCalendar, NotesCalendarEntry, and NotesCalendarNotice classes. This documentation also includes syntax and examples for the corresponding LotusScript and Java classes. Click Help - Help Contents and look under IBM Domino Designer XPages Reference - Domino. The following new classes were added:
z z
NotesCalendar NotesCalendarEntry
177
Release Notes
The following summarizes the new methods that were implemented for these classes:
z
Session.getCalendar
NotesCalendar z NotesCalendar.getEntry z NotesCalendar.createEntry z NotesCalendar.readRange NotesCalendarEntry z NotesCalendarEntry.read z NotesCalendarEntry.update z NotesCalendarEntry.remove Note: Trying to use any of the methods displayed in Designer that are not yet implemented will cause a "NotImplemented" exception to be thrown.
Usage details on new methods

The following information provides additional details for using these methods: Session.getCalendar Creates a NotesCalendar object from the Database object. The database is not verified to be a valid C&S database until it is actually accessed. lotus.domino.NotesCalendar getCalendar(lotus.domino.Database db)throws NotesException NotesCalendar.getEntry Returns a NotesCalendarEntry object that is associated with the provided uid (iCal identifier). This does not do validity checking to be sure that the entry actually exists. NotesCalendarEntry getEntry(String uid) throws NotesException NotesCalendar.createEntry Returns a NotesCalendarEntry from the iCal provided when given an iCalendar string (iCal) properly formatted according to RFC 5545. NotesCalendarEntry createEntry(String iCal) throws NotesException NotesCalendar.readRange Returns an iCalendar string that represents all calendar entries that appear on your Notes calendar and start between the provided start and end times. For recurring entries, each instance within the range is output separately. This represents only summary data for each entry, but each entry will contain a UID that can be used to get a NotesCalendarEntry object with the getEntry method. The caller is responsible for parsing the output. String readRange(DateTime start, DateTime end) throws NotesException
178
Release Notes
NotesCalendarEntry .read Returns the iCalendar string representing this calendar entry. If recurID is specified for a recurring entry, returns the iCalendar string for just that occurrence. recurID is expected to be a string representing the data/time that a particular instance was originally schedule at, formatted like an iCalendar RECURRENCE-ID. For example: "19960120T120000Z". See RFC 5545, section 3.8.4.4. String read() throws NotesException String read(String recurID) throws NotesException NotesCalendarEntry .update Given an iCalendar string (iCal) properly formatted according to RFC 5545, updates this calendar entry by passing in iCalendar. For recurring meetings, this is only currently supported for individual instances and the iCalendar input must contain a single VEVENT that specifies the appropriate instance with a RECURRENCE-ID, as defined in RFC 5545. If no comments are specified, this will NOT send notices even if this is a meeting. If this is a meeting where the mailfile owner is the organizer, appropriate notices will be sent, including the comments provided. Currently, any provided comments are ignored. void update(String iCal) throws NotesException void update(String iCal, String comments) throws NotesException NotesCalendarEntry .remove Removes (deletes) a calendar entry from the mailfile. If recurID is specified, then only that occurrence is removed. If this calendar entry is a scheduled meeting, it will be properly cancelled or declined, and appropriate notices will be sent to the organizer or participants. The version remove(recurID) will be changed to remove(recurID, scope) prior to the gold version of this software. void remove() throws NotesException void remove(recurID) throws NotesException
Spell checker added to CKEditor

A spell checker has now been added to the CKEditor in XPages. It will be available on both the server and the client. It is located here in the CKEditor:
Programmability documentation updates for new Calendar and Scheduling classes
179
Release Notes
For Calendar & Scheduling, the JavaScript API is documented in the IBM Domino Designer XPages Reference under the Domino classes section. The new classes documented are NotesCalendar, NotesCalendarEntry, and NotesCalendarNotice. Also, by scrolling down in any of these JavaScript topics, you will find syntax information and sample code for the other interfaces (Java, LotusScript).
Known issues/changes/fixes in this release

Domino Designer
z
DXL problem: In DXL Export, when inconsistent data is encountered, an error/warning is issued, and the data is written as rawitemdata vs readable entities. Example of warning: warning: Inconsistent data encountered (noteid 1706; item fieldRichText; cd #16(4); note 0x1706) warning: Writing data as rawitemdata element due to previous warning
Related SPR# DMAT8PGT6P

z
Facets are now visible - Facets (and their children) are now visible in the XPages Design Editor. Work done to address SPR.
Related SPR# MKEE89HKYS: XPages, Extensibility, no design visualization for facets.

z
XPages Extension Library control event handler added - An event handler has been added to XPages Extension Library controls. This is a fix to a widely reported issue in 8.5.3 in which the event handler was given the wrong prefix. This has been fixed for 8.5.4.
Related SPR# DEGN8LFE64: Event Handler namespace changes when added to controls from Extension Library
z
Related SPR# MLED8MDHXU: java design elements with underscores in the name do not function correctly
z
Java design element naming issue resolved- In a previous release, Java design elements with underscores in the name did not function correctly. This issue has been resolved.
Issue with Source Control when using Application icons - When using the Source Control enablement feature, if the application contains a new Application Icon (rather than the default application icon), the icon will be lost when synchronized with source control. As a workaround, you will need to re-add the icon to the application using Resources->Icon editor.
Related SPR# GGRD922KPD

z
When using the Domino blog template, images are lost or broken when a post is viewed in a browser - In this release, creating documents with images works fine. You can paste in a graphic or HTML code, and it looks correct in the Notes client. When accessing the post via browser, however, the images break and the HTML code doesn't pass through. As a workaround to this issue, refresh the template.
Related SPR# ESAR92HQ7R
180
Release Notes
XPages
z
IMPORTANT: Users with any previous installations of any OpenNTF Extension Library - You must UNINSTALL any OpenNTF Extension Library that you may have installed in the Notes client BEFORE you install the Social Edition Beta. Widget publishing issue - Publishing a widget fails and causes a "Cannot find class com.ibm.rcp.toolbox.template.converter.PlatformConverter in nsf" exception in the widget catalog. After obtaining a new toolbox from a new build, replacing the design, and then opening the Widget Catalog in Designer to enable the agent, the publishing of the widget causes a "Cannot find class com.ibm.rcp.toolbox.template.converter.PlatformConverter in nsf" exception. Possible cause: If you have opened the Widget Catalog in Designer before, the classpath information for PlatformConverter may sometimes be missing.
Related SPR# HBJW8VQBWP: [854FPR]publish widget failed by platformconvert error
Workaround: As a workaround for this issue, use the following steps to manually add the missing class path information and then rebuild the Widget Catalog. 1) Open the Widget Catalog in Designer, by right-clicking on the Widget Catalog and selecting Project Properties. 2) Select Java Build Path and click the "Add Folder..." button on the Source tab. 3) Add the source folder under WebContent/WEB-INF/. 4) Rebuild the project.
z
XPages rendering issue corrected - XPages previewed in the Notes client now render correctly after the local preview server port number is changed.
Related SPR# MLED8MRQRX: Reviewing xpage in client fails if http preview port changed
z
Issue with SpellCheck button in the CKEditor - The SpellCheck button in the CKEditor in XPages in the Notes Client does not work. There is no workaround.
Related SPR# PEDS8YXDQ2

z
Issue with Simple Mail Action - Having more than one recipient in the To CC or BCC field causes the Send Mail simple action to fail. To avoid this, use a group to send a mail to multiple recipients.
Related SPR# PHAN92QMJC

z
Issue with OneUIV3.0.2 theme and Date Time Picker helper control in Internet Explorer - A problem occurs when using the Date Time Picker helper control with the OneUIV3.0.2 theme with the aggregator turned on Internet Explorer browsers. In such cases, the Date Time Picker helper control will not display as expected. Dates and times can still be entered and edited but the input control will be missing the helper along with other styling issues. A workaround for this is to turn off the aggregator. Related SPR#s PHAN8Z7KVW and PHAN92ULF3
181

Nd90se Public Beta Releasenotes

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Nd90se Public Beta Releasenotes

Загружено:

Авторское право:

Доступные форматы

IBM Notes, Domino, Domino Designer 9.

Public Beta Edition (December 13, 2012)

Server installation on AIX - Requirements for SHA-2 support

AIX 5.3 TL7 Compiler xl C/C++ v9 C++ Runtime 9.0.0.8

Server installation on IBM i

Domino 8.5 for i: Getting started (Technote 7013148) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013148

Domino 8.5 for i: Installation and upgrade (Technote 7013151) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013151

Domino 8.5.x for i: Program Conversion (Technote 7013152) http://www.ibm.com/support/docview.wss?rs=463&uid=swg27013152

Server installation on Unix for the OpenSocial component

3. Execute the script using the following command: ./uninstall

About the documentation

About the documentation

http://opensocial-resources.googlecode.com/svn/spec/2.5/Core-Gadget.xml# rfc.section.4.1.1.6.1 http://opensocial-resources.googlecode.com/svn/spec/2.5/Core-Gadget.xml# rfc.section.4.1.1.7.1

Workaround: Ignore the message.

Workaround: Do not use this option in this beta release.

Workaround: Use the DB2 9.7 or 9.5 client.

About this task

Table: SAML Versions supported by identity providers

Table: Client configurations incompatible with SAML

Notes roaming user whose ID file is stored on server

Notes on a USB device

Server-based password checking for Notes users

Specifics for SAML in this beta release

Deployments in test scenario for IBM Tivoli Federated Identity Manager:

Deployments in test scenario for Microsoft Active Directory Federation Services:

Assumptions for federated login in this beta release

Setting up a TFIM server as the identity provider (IdP)

Setting up a Tivoli Federated Identity Manager (TFIM) federation

Using Domino as a SAML -based security provider with SSL

Your provider ID is in the TFIM configuration in the following field:

Creating a Domino metadata file if the server .id file is password-protected

Enabling the Domino Web server to provide SAML authentication

Protocol support enumeration

Configuring SAML from the Internet Site (Web Site) document

Setting up a Domino server as a TFIM partner

Restarting the Domino Web (HTTP) server

Encrypting SAML assertions

Supporting federated login on the iNotes client

Setting up the SAML identity provider and federation

Field Protocol support enumeration

Configuring the ID vault for Web federated login

Cautioning client users about SAML and logout

Decoded SAML assertion

Changes to policy settings for return receipts

Program document now supports server groups and pattern matching

Environment variables for startup

Troubleshooting the IBM HTTP Server

Fault Analyzer Task calculates dispositions by default

Table: Subcategories for a Problem

Out of Memory Runaway Threads

Previous process lingered causing bad start

Process did not balance Notes API Init/Term

Improper nlnotes shutdown

Table: Summary of the dispositions in this category

QOS_PROBE_INTERVAL QOS_PROBE_TIMEOUT QOS_RESTART_LIMIT_PERIOD QOS_SHUTDOWN_TIMEOUT QOS_RESTART_TIMEOUT QOS_APPS_TIMEOUT

Log file naming convention

How to read the log file

What to look for in the log file

Event Normal server shutdown

Evidence of a server crash in the log file

Evidence of a smart kill in the log file

Configuring ACLs and roles in the widget catalog

Before you begin