Академический Документы
Профессиональный Документы
Культура Документы
0 Social Edition
Public Beta Release
Release Notes
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Installation
A note about re-naming the current Notes and Domino release
The identity of the current release of Notes and Domino has changed from "8.5.4 Social Edition" to "9.0 Social Edition." The term "9.0 Social Edition" refers to the overall release, and not a particular component or feature. This change will be visible in several areas of the product, such as splash screens, Help/About screens, install panels, and consoles. The add-on install packages for Notes and Domino that were previously called "Social Edition" are now a part of the Notes client installer, and display as a feature named 'OpenSocial component' (Linux installation will still include an RPM file). The Domino add-on install package previously called "Domino Social Edition Embedded Experiences Add-On" is now called 'Domino Social Edition OpenSocial component'. If upgrading, please select 'OpenSocial Component', as it will not be selected by default. The Notes Application Plug-in has been renamed to "Notes Browser Plug-in". While most of these changes have been implemented for the Public Beta, a small number will be completed for the GA release.
Server installation
We recommend that you install the Domino server for this beta release on a non-production system. You can upgrade a server running the latest maintenance release of a shipped version of Domino. If you upgrade, be sure to manually refresh the design of the Domino Directory. For instructions on installing the Domino server, see the following topic in the Domino 8.5 Administrator section of the Domino and Notes Information Center: Domino Server Installation
Prerequisites
z z z
AIX 32 AIX 64
9.0 Social Edition Supported Platforms z AIX 5.3 TL7 POWER System (64-bit kernel) z AIX 6.1 POWER System (64-bit kernel, Service Pack 4, APAR IZ10223, APAR IZ09961, APAR IZ10288, APAR IZ08022) z AIX 7.1 POWER System (64-bit kernel)
Comments
z z
AIX 7.1 already has the minimum runtime Currently sw in the 9.0 Social Edition builds
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
To install the OpenSocial component on IBM i : 1. On the IBM i system, stop any active Domino server and make sure Domino 9.0 Social Edition is already installed. 2. Download the webkit to a workstation and extract the contents. InstallShield Wizard will run automatically after the extraction. 3. Follow the instructions on the Installer panels to accept the license, specify the IBM i system where the OpenSocial component will be installed with user profile and password, and specify the default location where the files are extracted. Click Next to start installing. 4. After the InstallShield Wizard completes successfully, log on to the IBM i system to check the status of the OpenSocial component. 5. Use the DSPPTF command; you should see the following result: DSPPTF LICPGM(5733LD9) Opt PTF ID SE19001 Status Temporarily applied IPL Action None
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
To uninstall the OpenSocial component on IBM i : 1. On the IBM i system, stop any active Domino server. 2. Log on to the IBM i system. 3. Use the RMVPTF command to uninstall the OpenSocial component; you should see the following result: RMVPTF LICPGM(5733LD9) RMV(*PERM) Object QPZ119001 in QDOMINO900 type *FILE moved to library QRPLOBJ. Object QPZ119001 in QRPLOBJ type *FILE renamed QSE1900101. Object QPZ219001 in QDOMINO900 type *FILE moved to library QRPLOBJ. Object QPZ219001 in QRPLOBJ type *FILE renamed QSE1900102. Object QPZR19001 in QDOMINO900 type *PGM moved to library QRPLOBJ. Object QPZR19001 in QRPLOBJ type *PGM renamed QSE1900103. PTF 5733LD9-SE19001 V9R0M0 permanently removed from library QDOMINO900.
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
To uninstall in silent mode 1. Edit the uninstall script and replace -console with -silent. For example, replace: cmd="$NUI_NOTESDIR/notes/latest/$DEV_ARCH/jvm/bin/java -DSE=1 -cp $NUI_NOTESDIR/notes/latest/$DEV_ARCH/_uninstSE/uninstall.jar run -console" with cmd="$NUI_NOTESDIR/notes/latest/$DEV_ARCH/jvm/bin/java -DSE=1 -cp $NUI_NOTESDIR/notes/latest/$DEV_ARCH/_uninstSE/uninstall.jar run -silent" Completing OpenSocial component installation 1. Download and install the Domino 9.0 Social Edition build. 2. Shut down the Domino server. 3. Run the server installer and follow its instructions to install the OpenSocial component. 4. Start the Domino server
Client installation
IMPORTANT - Installation notes Windows 7 - Must run as Administrator to complete multi -user install Multi-user installation is not supported on Windows 7 when installing from a non-administrator account; you must be logged in as an administrator to install Notes 9.0 Social Edition Public Beta. Linux - Ubuntu 12.04 64-bit is not supported Installing the Notes client on Ubuntu 12.04, 64-bit platform is not supported for this beta release; installation will fail if attempted. Linux - Upgrade is not supported from 8.5.x releases If you have previously installed a Notes 8.5.x release, it must be uninstalled prior to the installation of the current Notes 9.0 Social Edition Public Beta. You may uninstall previous versions and install the new version manually, or you may run the shell script smartupgrade.sh, shipped in the Notes 9.0 Social Edition install kit:
z z z
smartupgrade.sh can uninstall 8.5.x and fixpacks, and then install 9.0 with all components smartupgrade.sh can perform a clean installation; 9.0 will be installed with all features smartupgrade.sh can uninstall/reinstall 9.0 with Open Social and Feedreader set by default
If Notes 8.5.x is not uninstalled and is launched after Notes 9.0 Social Edition Public Beta is installed, the data folder may be damaged and would cause various failures in both Notes 8.5.x and the Notes 9.0 Social Edition Public Beta. IBM Symphony - Separate download now required IBM Symphony has been removed from the Notes 9.0 Social Edition client. If you want to continue using Symphony, you can download it from the Symphony home page at: http://www-03.ibm.com/software/lotus/symphony/home.nsf/home
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Support
Support from Development is available through the Web-based feedback forum. It is strongly recommended on deployments ONLY in test, and not in production environments. To use the forum, you must be a registered user for the Lotus Developer Domain (LDD). Click here to create an account. Only the primary and backup participants at each company are registered for forum access
Patches
All patches, if any, are posted on the download site. See the main beta release announcement for instructions on installing them.
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Domino Server
Purpose of the beta release
The server team is looking for feedback on specific aspects of the IBM Domino product for this beta release of Domino 9.0 Social Edition. As a result, areas of the product may not have undergone the extensive testing that normally takes place with releasing a milestone. We do not recommend that you use the early builds for anything other than testing the focus areas for a given drop, as these focus areas have undergone more extensive testing. If you find any problems with any of the focus areas, please report those issues in the forum. Information about the forum is provided below..
Support
Support from Development is available through the Web-based feedback forum. It is strongly recommended on deployments ONLY in test, and not in production environments. To use the forum, you must be a registered user for the Lotus Developer Domain (LDD). Click here to create an account. Only the primary and backup participants at each company are registered for forum access
Patches
All patches, if any, are posted on the download site. See the main beta release announcement for instructions on installing them.
Known Issues
HTTP not starting on AIX 64, shows JVM exception in thread "main" HTTP fails to start on AIX 64, with a JVM error in the console log, as shown below: [24183018:00002-00001] 21/07/2012 11:35:44 Schedule Manager: Informational: Detailed schedule information collection is not enabled via the domain-wide Server Configuration document. [24183018:00002-00001] 21/07/2012 11:35:44 SchedMgr: Validating schedule database [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: Exception in thread "main" [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: java/lang/Error: bootstrap error, system property access before init [24117314:00002-00001] 21/07/2012 11:35:45 HTTP JVM: at java/lang/System.getProperties (System.java:339)
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Workaround: Set the local parameter. On AIX, - local shows the current local parameter. Next, type
in: export LC_ALL=C export LANG=C Confirm the local parameter is set by typing in - local again. Install the North American Domino server kit as root. Finally, when you switch to the Notes user, ensure that export LC_ALL=C and export LANG=C are set. Then start Domino as usual. (SPR # PLOS8WEEJF) PANIC: LookupHandle: handle not allocated issue Several crashes have been observed when closing documents associated with a database that is being closed in the IMAP process. No cause has been determined, and there is currently no work around. (SPR # BFUY8XNL8M) OAuth and OAuth2 service elements defined in a OpenSocial gadget used in Domino cannot work in this beta release without a name attribute If the name is missing, the Widget Approval process will not prompt for the OAuth data.
Workaround: Specify the name for any gadget you use. For more details, see the relevant sections in the
OpenSocial specifications for OAuth and OAuth2:
z z
On a Domino server upgraded to Domino 9.0 Social Edition, 8.5.3 mail users may see an undefined string in the interface The problem occurs when there is both a Forms85.nsf and a Forms9.nsf file on the mail server.
Workaround: It is recommended that you either delete Forms85.nsf from the server, or set the following two NOTES.INI parameters to specify the forms file you wish to use, for example:
iNotes_WA_FormsFiles=iNotes/Forms9.nsf iNotes_WA_DefaultFormsFiles=iNotes/Forms9.nsf Forms85.nsf provides users with the current 8.5.3 experience; Forms9.nsf gives them the new iNotes 9.0 experience. This issue will be corrected in a future release. (SPR #JDOE8ZLMTR)
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
On Windows 2008 64-bit, an error message may appear after upgrading to IBM Domino 9.0 Social Edition from Domino 8.5.3 Despite the error message, Domino 9.0 Social Edition does install and start correctly after you click Finish and run setup. You may see the following error message: Errors occurred during the installation. An error occurred and product installation failed. Look at the log file C:\<Domino Program directory>\DominoInstall.log for details.
Workaround: In this beta release on this platform, do not upgrade from a shared network drive.
(SPR #SZZZ92R8JF) If you disable the transaction log and restart the Domino server , the server hangs
Workaround
1. Edit the server NOTES.INI file and set the following parameters: previous_translog_status =0 translog_status=0 2. Force the server to shut down, and then restart. (SPR # SMQU927C5M) On Linux 64, full-text search option does not work as expected In this beta release on this platform, the option for creating a full-text index Using conversion filters on supported files (searching is often more accurate ) does not work because no conversion filters are yet installed. The content of most attachments is not yet searchable in full-text search, domain search, or site search.
Workaround: None.
(SPR # WBJZ8ZC5LW)
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
SAML authentication fails for iNotes users who do not have a Notes ID in the ID vault In this beta release, after SAML is configured, only iNotes users who already have a Notes ID in the ID vault can use SAML. You cannot import IDs for them after SAML configuration; authentication will fail.
Workaround: Make sure iNotes users have Notes IDs in the ID vault before configuring SAML for iNotes.
(SPR #MFAY922JRL) On IBM i, a new option to delete Domino shared memory does not work A new option to delete shared memory manually for an authorized IBM i user will work in a future release, but does not work in this beta release. The option 18=Delete Domino Shared Memory is displayed in the Work with Domino Servers panel, but causes an error.
Workaround: This problem is most critical for crash situations where the crashing call stack is needed to
identify the problem. In this case, NSD does generate a core file that can be collected and annotated. Searching for "Generating core dump" in an NSD yields an entry in the NSD where the path to the core file is recorded. Collect this file for problem determination. For example:
INFO (0): Generating core dump for [nchronos: 0898] (coreflags=0, exp=1c8ba70, dbgver=6.8.0004.0) INFO (0): Generated core dump file C:\Lotus\Domino\data\IBM_TECHNICAL_SUPPORT\core_nchronos_W32I_SERVER_2012_09_1 4@06_26_53.dmp (SPR #KBRN8NMS2Y)
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
On IBM i, a console message does not display if Java console is running If the Domino server is connected with jconsole.exe, a console message does not display. Note Sending a Domino command via Java console to the server does work.
Workaround: Use either Work with Domino Console in Green Screen or the server console in the Domino Administrator client.
(SPR # YZZZ92RFGR) Problem Administrator client context -sensitive help functionality is not complete In this beta release, not all areas of the Administrator client respond to the Help > Context Help command.
Workaround: Select Help > Help Topics and search the help for the area of interest.
(SPR #KLKL92CG7T)
10
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Focus features
Security Assertion Markup Language (SAML)
Using Security Assertion Markup Language (SAML) to configure federated -identity authentication Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. Notes/Domino federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
SAML authentication allows a user to authenticate once with a designated identity provider (IdP), after which the user can access any server that is partnered with the IdP. Both Notes client and Web client users can make use of SAML-based authentication. Authentication depends upon signed XML identity assertions. The result for the user is transparent authentication and single-sign on with one-time authentication for multiple Domino web servers and applications, as well as any third-party applications that are also partnered with the IdP. The IdP determines the method of the one-time authentication; it might prompt the user for a password, or use a non-password authentication methods such as Integrated Windows authentication (SPNEGO/Kerberos) for users within an intranet. For Notes client users on Citrix, SAML authentication can facilitate a single-sign on solution, usually with the IdP configured for Integrated Windows authentication (IWA). SAML authentication at Notes client startup is referred to as federated login. Note: For Web users, SAML-based single sign-on is an alternative to another method of single sign-on (SSO) already available in Domino: multi-session server authentication. SAML is most useful when your Domino environment includes third-party Web applications whose services your users access, or if multi-session server authentication is too limiting for your organization -- for example if the target environment requires SSO across DNS domains. For more information, see the topic later in this document on Configuring SAML from the Internet Site document. You can set up federated-identity authentication for users of the Domino Web server, for Notes client users who authenticate through federated login, or for both. In this release of Domino, the administrator can set up the Domino server to use SAML authentication by making it a partner with an on-premises federated-identity server such as IBM Tivoli Federated Identity Manager (TFIM) coupled with a IBM Tivoli Access Manager (TAM) authentication server. The TAM/TFIM server becomes the identity provider (IdP), and the Domino server is registered with it as a provider of the SAML authentication service. For learning purposes, this beta release comes with cookbook instructions to create a highly simplified environment in which TFIM is deployed without TAM. In the highly simplified environment, users are identified by their common name (for example, "John Doe") to Domino, rather than by a unique identifier such as email address (for example, "jdoe@renovations.com"). The highly simplified scenario is for demonstration purposes only -- a full deployment would include a component such as TAM that ensures each user is identified by an email address, and Domino might have name mapping solutions in place to map the email address to a Domino name found on Domino ACLs. Domino supports both SAML 1.1 and SAML 2.0. The SAML version you use depends on your choice of identity provider. In this beta release, "cookbook" instructions are included for ADFS, which requires SAML 2.0, and for TFIM with SAML 1.1 or TFIM with SAML 2.0:
z z z z
Cookbook: Setting up new Relying Party Trust for AD FS 2.0 Cookbook: Setting up a new federation on TFIM 1.1 Cookbook: Setting up a new Federation on TFIM 2.0 Cookbook: Setting up a new partner on TFIM
11
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
SAML 2.0 is recommended unless your organization has a specific reason to use SAML 1.1. SAML 1.1 may be required to support single sign-on with specific applications. Depending on the level of SAML required for participating applications , the following identity providers that support SAML could serve as the federation for which Domino is the partner:
Important SAML authentication includes timestamps. Ensure that the SAML IdP computer and the Domino SAML service provider computer have their clocks synchronized so that these computers share the same notion of current time. If clocks are too far out of sync, a SAML assertion may be rejected because the assertion appears to have an invalid time. This is particularly problematic if the IdP machine time is ahead of the Domino server time, so that Domino rejects an assertion which appears to specify a future time.
Compatibility
The following table lists client configurations with which SAML is not compatible or only partially compatible.
12
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If your organization uses ... Notes user IDs with multiple passwords
SAML is not recommended because ... Federated login user IDs cannot be Notes user IDs with multiple passwords, because the ID vault required for Notes federated login and cannot be used with IDs that have multiple passwords. Disable this feature on server platforms when configuring all Notes users for Notes federated login. Password checking can be enforced for non-federated login users, but cannot be enforced for federated login users.
Domino Directory - names.nsf (pubnames.ntf) ID Vault - idvault.nsf IdP Catalog - idpcat.nsf (if you previously deployed it)
Operating system: Windows Enterprise Server SP2 Stand-alone WebSphere Application Server profile WebSphere 7.0.0.11 TFIM 6.2.1 with FP 1
Operating system: clean installation of Windows 2008 EE 32 bit ADFS 2.0 Version 6.1.0.0
Your Notes client users are in a Domino directory; you do not use directory assistance. Your Notes client users' IDs are stored in the ID vault. It is recommended that you test this feature on a clean client installation.
Important Testing federated login in this beta release requires following the instructions in the following document: Cookbook: Setting up Notes federated login
13
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
This topic uses IBM Tivoli Federated Identity Manager (TFIM) as the example of an identity provider (IdP) to Domino for your organization. Before you begin An IBM WebSphere server is the required platform for TFIM. Procedure Perform the following tasks: 1. Setting up a Tivoli Federated Identity Manager (TFIM) federation 2. Setting up a Domino server as a TFIM partner
Registering the TFIM identity provider server with Domino as the SAML service provider
Registering Domino consists of an export step on the TFIM server and an import step on the Domino server. Procedure 1. Export the TFIM identity provider (IdP) federation information from the TFIM server. The federation information is contained in a file called metadata.xml. 2. Transfer the file to a drive accessible to the Domino server, and from there, transfer the file to the Domino server. 3. On the Domino server configure the IdP Catalog as described below in Enabling the Domino server to provide SAML authentication.
14
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
15
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
At the SAML IdP, the provider id is used to find the matching IdP partner, as specified in the Provider ID field in the TFIM Partners SAML Message Settings configuration. The Domino IdP Configuration document in the IdP Catalog similarly specifies the Service Provider ID argument (SP_PROVIDER_ID) used in building the redirect URL to the IdP. For example, if SSL is not being configured for Domino, the redirect URL to the IdP looks like this: https://your_WebSphere_server_name :9443/sps/saml11idp/saml11/login?SP_PROVIDER_ID=http://your_Domino_server_name &TARGET=http://your_Domino_server_name /names.nsf The Provider ID can be set at the IdP and at Domino (in the IdP Configuration document) to specify https, although the primary purpose of the SP_Provider_ID is to have the IdP setting match the setting at Domino in the IdP Configuration document. When configuring SSL at the Domino Web server, if you are monitoring the redirect URL to the IdP, you
16
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
should see the TARGET containing https. https://your_WebSphere_server_name :9443/sps/saml11idp/saml11/login?SP_PROVIDER_ID= https://your_Domino_server_name&TARGET=https://your_Domino_server_name /names.nsf Note The Domino Web server name must be the fully qualified host name. For more information on the SP_PROVIDER_ID argument, see the related topic on the Internet transfer URL (SAML 1.x initial URL): Related reference SAML 1.x initial URL Configuring a port for SSL
Setting up Microsoft Active Directory Federation Service (ADFS) as the federation for a Domino partner
In the beta release, you can configure Microsoft ADFS for SAML 2.0. ADFS requires that the Domino server you use as a relying trust (ADFS equivalent of a partner) is protected by SSL. About this task For the details necessary to set up ADFS as a federation for use with Domino, see the appropriate "cookbook", available frpm the beta download site.
17
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
3. At the Domino server console on the Domino server, enter the following command to create the certificate: certmgmt create saml [overwrite] Note If the server ID file already has an Internet certificate that could be used, this step is optional. 4. Take note of the public hash key displayed on the console after you issue the create command. The message displayed looks like this but with a key specific to your system. . The key is the string between the double quotes. Certificate created, public key hash="v6i9TOz7zP9GBCXxtrz+KA==" 5. Edit the Domino server NOTES.INI file again and enter the following required setting, using the hash key you noted: SAMLPublicKeyHash=your_hash_key 6. Restart the Domino server to allow the hash key setting to take effect. 7. Enter the following command to generate a metadata .XML file (for example, tfim-meta.xml for TFIM) to import into your federation: certmgmt export saml xml filename.xml Important If you have chosen not to perform the certmgmt create step above, then you cannot use the certmgmt export command to create the metadata file. Instead of using a metadata file, you must manually enter information at the IdP to create the partnership in a later step. 8. Enter the following command to generate and export from Domino a certificate file (for example, renovationsSAMLCert.p12 for TFIM) to import into your federation. certmgmt export saml pkcs12 filename.p12 9. Copy the exported certificate file from Domino to a location accessible to the IdP, and import the file into the IdP configuration. For more information, see the cookbooks for the TFIM or ADFS IdP (linked above).
18
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Setting up Microsoft Active Directory Federation Service (ADFS) as the federation for a Domino partner.
Obtain a copy of the metadata.xml file that was exported from the IdP, and have its contents ready for import when you create the IdP Configuration document. You can store it in any location accessible to your Domino Administrator client. If the IdP Catalog (idpcat.nsf) application already exists, you must have access to create documents in it. Tip: Because SAML configuration requires cooperating configuration for Domino and for the identity provider (IdP), Domino Web server configuration should first be fundamentally sound when being used independently of an IdP. Therefore, before enabling SAML, consider setting up the Domino HTTP server for single-server session authentication. This task includes configuring Domino to log in as a Web user (for example, the Domino administrator that has been configured in the Domino Directory during the Domino server setup). After you as this administrator are able to log in as the Domino user, successfully browsing to URLs on the Domino server, the server is ready for SAML enablement. For most SAML 2.0 configurations, the Domino HTTP (SAML service provider) server's ID file must contain an Internet certificate. If the server already has such a certificate (for example, one used for SSL), in a future release you will be able to use the same certificate for the SAML partnership. In this beta release, you must use either the IdP catalog database Create Certificate button, or the server console certmgmt command (see instructions for each below). In a future release, you will be able to use any existing method, such as the Domino certificate authority (CA), to create a certificate for use with SAML. Tip: If you do not use either the IdP catalog database Create Certificate button or the server console certmgmt command to create a new Internet certificate for SAML, then you cannot create a Domino metadata file in this beta release; you must set up the IdP partnership manually. In future release you will be able to use an existing server Internet certificate (such as the server's SSL certificate) to work with the ADFS IdP, which does not require a Domino metadata file. If you use the server's SSL certificate, you would export the certificate and private key from the SSL keyring file into a file in PKCS12 format. Then you would use the User Security dialog box in the Notes client to import the certificate and private key from the PKCS12 file into the server's ID file. About this task Enabling SAML requires two tasks: specifying SAML authentication in the Domino Directory, and creating a document to contain SAML configuration settings. Depending on whether your organization uses Internet Sites, you specify the authentication in either the Server document or in one or more Internet Site documents. The SAML configuration settings are then specified in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application. Together, these documents determine whether Domino, as the SAML service provider, trusts SAML assertions from a specified identity provider (IdP). The IdP's public key, stored in an IdP Configuration document in the IdP Catalog application, is used for cryptographic verification of a SAML assertion issued by the IdP.
19
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The IdP Configuration document includes several fields whose values are supplied automatically when you import the metadata.xml file from the IdP. It is recommended that you use SSL security for your SAML configuration; if your federation is Microsoft Active Directory (ADFS), SSL is required. See Using Domino as a SAML-based security provider with SSL. Note When your organization uses SAML for session authentication, disable the field Enforce Internet Password Lockout on the Security tab of the server Configuration document. In addition, disable any Web password management settings - such as synchronizing the Notes client password with the Internet password - that have been enabled in security policies applied to SAML users.
Internet passwords
For more information on Internet password lockout, see the following Information center topic: Securing
Important If the Domino server has a server.id file protected by a password, the administrator cannot use the Create Certificate button described below to create a metadata file. Instead, see Creating the Domino metadata file if the server.id file is password-protected. Note Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them. Important If you later modify an existing SAML IdP Configuration document or add a new one, restart the HTTP process on the Domino Web server so that the changes are recognized. Procedure 1. From the Domino Administrator, create the IdP Catalog application (idpcat.nsf), using the template with the file name idpcat.ntf, or open the application if it already exists. Caution: If your server is running on UNIX, make sure the file name is all lower-case. 2. Assign access in the ACL only to any Domino SAML administrator(s) and to the server. Note: If the idpcat.nsf is replicated across other participating SAML servers, their entries will be added to the ACL. 3. Click Add IdP Config to create a new configuration document . Note: If you have multiple Internet Site documents in your organization, and you want SAML authentication used at these multiple Web sites, create separate associated IdP Configuration documents for each participating Internet Site. For details, see Configuring SAML from the Internet Site document.
20
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
4. On the Basics tab, in the Host names or addresses mapped to this site field, enter either an IP address or Web address (DNS host name, or Internet site name) representing a service provider's Web site, or both. If you enter both, separate the IP from the Web address using a semicolon, for example, 9.32.256.2; www.renovations.com. (www.renovations.com.) The order of addresses does not matter, and you can enter multiple items, separated by semicolons. Important: The IP or Web address you enter here should match what is entered in either the Host name(s) field on the Internet Protocols /HTTP tab in the Server document, or the Host names or addresses mapped to this site field of the corresponding Internet Site document. In this way you can specify all host name/IP combinations that should share the common identity provider partnership. Restriction: If your organization is using SSL as recommended, you must include an IP address. 5. In the IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience. For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM Tivoli Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM). 6. In the Protocol version field, select a SAML version. Important SAML 2.0 is required if your federation is configured on Microsoft ADFS. 7. Leave State for this Configuration document as Enabled (the default). 8. In the Federation product field, select either TFIM for IBM Tivoli Federated Identity Manager or ADFS for Microsoft Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication. The default is ADFS. 9. In the Service provider ID field, enter the string that identifies Domino as a service provider partner with the IdP. This string is usually the same as the HTTPS URL for the Domino HTTP server, for example, https://domino1.us.renovations.com. Note If SSL is not configured at Domino and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com. If you use ADFS for the IdP, SSL is required, so you would use https in the string. Important An entry is required in this field to use the Create Certificate button on the Certificate Management tab. 10. Click Import XML file, and specify the metadata.xml file exported from the IdP. It is recommended that you leave intact the information supplied from the imported XML file. For more information, see Table: Fields in the IdP Configuration document whose value is generated from the metadata.xml file at the end of this procedure. 11. On the Client Settings tab, leave Enable Windows single sign -on set to Yes if this IdP document corresponds to an IdP that uses Windows single sign-on (SPNEGO/Kerberos) user authentication. This field is required by Notes client federated login so that Domino knows how to set up the Notes client embedded browser.
21
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
12. Still on the Client Settings tab, in the Sites that are trusted field, list trusted identity provider (IdP) web host names that differ from the host name configured in the Basics tab. Separate entries with a semicolon or a return character. 13. Still on the Client Settings tab, leave the Enforce SSL field set to Yes if the Notes client embedded browser requires that any URL accessed at the IdP during the login sequence be protected with SSL. 14. If you are using SAML 2.0 and need to export a metadata file from Domino to use at the IdP, on the Certificate Management tab, enter a Company name to identify the certificate in the Domino metadata file (idp.xml) to be exported. Use any string convenient to your administrators. You might use the name to indicate the Domino server, for example Domino US Renovations, or a virtual name if representing one particular Internet site configuration on the Domino server, for example, Domino East Coast US Renovations. Tip The name does not have to match anything in the actual IdP configuration. However, the string does have to be compatible with the syntax of the idp.xml file; that is, it cannot include characters such as angle brackets (< or >). 15. Still on the Certificate Management tab, click Create Certificate (if prompted, save the document, return to the tab, and click the button a second time). When creating the certificate, Domino prepends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported. 16. Still on the Certificate Management tab, in the Domino URL field, enter a string to identify the fully qualified DNS name in a URL of the Domino server; for example, enter: https://your_SAML_service_provider_hostname The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino. Note If SSL is not configured at Domino and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://domino1.us.renovations.com. Tip You can use the string you entered in the Service Provider ID field on the Basics tab. 17. Still on the Certificate Management tab, in the Single logout URL field, enter a URL if the IdP requires one, for example if your federation is Tivoli Federated Identity Manager (TFIM 2.0). The TFIM IdP with SAML 2.0 configuration requires a single logout URL to be specified at the IdP and in the Domino metadata file, even though Domino does not currently implement a SAML 2.0 single logout feature. An example of a logout URL is: https://your_tfim_server.com/sps/samlTAM20/saml20 Note: In this beta release the field may be labeled "SLO url." 18. At the top of the form, click the Export URL button to save the created idp.xml file as an attachment to the document. 19. Save and close the IdP Configuration document.
22
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table: Fields in the IdP Configuration document whose value is generated from the metadata.xml file
Field Artifact resolution service URL Restriction: For the beta release, this field is as yet unused and may be empty. Single sign-on service URL Description Domino generates the artifact URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/ soap. If the data is available in the imported XML file, Domino generates the login URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovations.com/FIM/sps/samlTAM20/ logininitial. Note The value in this field is a subset of the expected URL to the IdP. The Domino server generates the full URL when necessary. Signing X.509 certificate Encryption X.509 certificate Domino imports the certificate from file. Domino imports the certificate from file. Note: This field appears only when the Type field is set to SAML 2.0. Domino generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by Domino as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SAML:2.0:protocol.
What to do next Follow the steps in Configuring SAML from the Internet Site document below, to enable SAML in the Internet Site document, and specify the preferred session cookie. Note If you later change the authentication type in the Internet Site document to remove SAML, your change has no effect to disable SAML unless this IdP Configuration document is either disabled or deleted.
23
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
24
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Specify HTTP Post for the partner. The service provider ID should be the same as the Web URL for the Domino HTTPS server, for example, https://domino1.us.renovations.com . Note If SSL is not configured at Domino, this setting would include http instead of https, for example: http://domino1.us.renovations.com.
The assertion consumer URL uses your server Web URL, the Domino Directory file name, and a required command (?SAMLLogin), for example, https:// domino1.us.renovations.com /names.nsf?SAMLLogin
At the server console, start the HTTP process by typing: load HTTP If the HTTP process is already running, type: tell HTTP restart
25
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Cookbook: Encrypting SAML assertions Supporting federated login on the Notes client
Federated-identity authentication using the Security Assertion Markup Language (SAML) standard relieves Notes client users of the need to enter a Notes password. Important Testing federated login in this beta release requires following complete instructions in the appropriate "cookbook", available from the beta download site. Tip The Domino ID vault server participating in federated login typically does not have the Domino Web server configured, but your organization may use such a combination if necessary. If the Domino ID vault server is configured as a Domino Web server, you may be able to use a single SAML partnership for both the Web server and the ID vault server. When the vault server is also a Web server, follow the procedure above in Enabling the Domino Web server to provide SAML authentication, instead of the cookbook procedure, to configure the ID vault server.
Before you begin This procedure assumes that your organization uses more than one computer for the server running iNotes and the ID vault server. The IdP Catalog application must reside on both the vault server and the server running iNotes. Note: The SAML IdP needs to know where to send the user's SAML assertion. When configuring the IdP in a document in the IDP Catalog, you will specify a valid URL to the server that runs iNotes. The vault server is not contacted by the IdP directly. Instead, the SAML assertion is sent first to the server that runs iNotes, and that server in turn sends the assertion to the ID vault server.
26
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Using a single computer for the Domino Web server running iNotes and the ID vault server
The ID vault server participating in Web federated login typically does not have the Web server configured, but your organization may use a single computer to run both servers. When the ID vault server is separate, it does not need to observe SSL. But if there is a requirement to use SSL for the Web server (for example, your federation is ADFS 2.0), and they are on the same computer, SSL must be enabled. About this task Web federated login requires four components:
z z z z
A Web browser client for all iNotes users Web server running iNotes and functioning as the home (mail) server for iNotes client users ID vault server SAML Identity Provider (IdP)
Perform these tasks: 1. Deploying the ID vault and security policy for Web federated login If the ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for iNotes client users, as well as a security policy to apply to such users. 2. Setting up the SAML identity provider and federation Decide whether your organization will use Microsoft ADFS or IBM Tivoli Federated Identity Manager (TFIM) as the identity provider for Domino and iNotes, and then follow all instructions to set up your TFIM federation or ADFS Relying Party Trust to support SAML authentication for Web federated login. The tasks you must accomplish include creating the SAML federation and exporting the IdP information to a metadata file, as well as setting up the Domino server that runs iNotes as a SAML partner. 3. Enabling the Web server that runs iNotes to provide SAML authentication You enable Security Assertion Markup language (SAML) authentication on using the IdP Catalog application. If the server is password-protected, there may be additional tasks. 4. Configuring the ID vault for Web federated login The Domino ID vault administrator sets up the vault to specify the name of the IdP Catalog document for the SAML identity provider (IdP). 5. Using a security settings policy to apply a Web federated login configuration to iNotes client users After SAML-based federated login is configured on your server and identify provider (IdP), you can assign its use to iNotes client users through the security policy.
27
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Deploying the ID vault and security policy for Web federated login
If the ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for iNotes client users, as well as a security policy to apply to such users. Before you begin
z
You must have at least Editor access to the Directory, and access to, if one exists, the ID file and password for the ID vault server. users who are meant to participate in Web federated login must have their id files stored in the ID vault. Any user affected by the policy must have an Internet e-mail address that is known to either by being specified in a Person document in the Directory, or retrievable to the directory by use of directory assistance.
About this task A user's SAML assertion contains an e-mail address for the user. must be able to map each user's e-mail address to the user's distinguished name. This required mapping is why all users affected by the policy must have an Internet e-mail address specified in their Person documents in the Directory, so that the IdP can use that e-mail address in its SAML assertion. Procedure 1. Create the ID vault by running the ID vault creation wizard; for instructions, see the related topics. 2. As part of deploying the ID vault, create the security policy. On the server running iNotes, the policy exists in the Directory (names.nsf). The policy should also exist in the Directory on the ID vault server. 3. Ensure that the policy allows to use the ID vault. 4. Apply the security policy to user organizations (or to specific users) who will have their id files stored in this ID vault. What to do next Take these confirmation steps:
z
To see whether an users ID file has been uploaded to the vault, a vault administrator can open the ID vault application and check for the user's name in the Vault Users view. If your organizations users are managed in Directory Person documents, check a test user's Person document, Internet address field, for the user's e-mail address. If the users are managed in a directory configured with directory assistance, check the LDAP attribute (for example, the Mail attribute) for the user's e-mail address.
28
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Cookbook: Setting up new Relying Party Trust for AD FS 2.0 Cookbook: Setting up a new federation on TFIM 1.1 Cookbook: Setting up a new Federation on TFIM 2.0 Cookbook: Setting up a new partner on TFIM
2. If you are using TFIM as your federation, follow the instructions to configure a Domino server as a TFIM partner in the related topic below.
Enabling the Web server that runs iNotes to provide SAML authentication
You enable Security Assertion Markup language (SAML) authentication on iNotes using the IdP Catalog application. If the server is password-protected, there may be additional tasks. Before you begin
z
The identity provider (IdP) you intend to use with the Web server must be configured before you enable SAML on the Web server running iNotes. See the related topics. You must have access to the vault ID file and password, and have Editor access to the Directory. Obtain a copy of the metadata.xml file that was exported from the identity provider (IdP), and have its contents ready for import when you create the IdP Configuration document. You can store it in any location accessible to your Administrator client. If the IdP Catalog (idpcat.nsf) application already exists, you must have access to create documents in it. It is recommended that you use SSL security for your SAML configuration; if your federation is Microsoft Windows Active Directory (ADFS), SSL is required.
z z
Log in as a test user to confirm that SAML authentication is enabled. To do so, open a browser and enter the URL for the Web server running iNotes, for example: https://domino1.us.renovations.com. Depending on the IdP configuration, the test user may first be redirected to the IdP's login page before mail is displayed in the browser. If SAML authentication is properly configured at the server, you will see the test user's mail displayed in the browser. iNotes may prompt for a password to the ID file before allowing access to encrypted mail. After you have verified that an user can be authenticated by SAML to start , then follow the procedure below, after which the test user should no longer see a password prompt for access to encrypted mail.
29
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
About this task The IdP Catalog application must exist on the server that hosts the ID vault whether or not that is the same computer that runs iNotes. If the ID vault and the Domino server running iNotes are on separate computers, make sure that the catalog applications exists on each server, and create an IdP Config document specific to each server. The document for the server running iNotes and the document for the vault server each have a different value in the Host names or addresses mapped to this site field. If you are creating certificates for use with SAML-encrypted assertions, the iNotes server and ID vault server require separate certificates. Tip You can create the two IdP Config documents in one IdP catalog application, and replicate that application to both servers. The procedure below sets up the catalog document for the ID vault server. For the server running iNotes, follow instructions for the Domino Web server enablement for SAML. See the "What to do next" section below. The IdP Configuration document includes several fields whose values are supplied automatically when you import the metadata.xml file from the IdP. Important: If the server has a server.id file protected by a password, the administrator cannot use the Create Certificate button described below to create a metadata file. Instead, see the task in this sequence on creating the metadata file if the server.id file is password-protected. Important: If you later modify an existing SAML IdP Configuration document or add a new one, restart the HTTP process on the Web server so that the changes are recognized. Note: Enabling SAML authentication may have unexpected results with RSS feeds if your organization uses them. Procedure 1. From the Administrator client, create the IdP Catalog application (idpcat.nsf), using the template with the file name idpcat.ntf, or open the application if it already exists. CAUTION: If your server is running on UNIX, make sure the file name is all lower-case. 2. Assign access in the ACL only to any SAML administrator(s) and to the server. Note: If the ipdcat.nsf is replicated across other participating SAML servers, their entries will be added to the ACL. 3. Click Add IdP Config to create a new configuration document. Note: If you have additional Internet Site documents in your organization, and you want SAML authentication used at these additional Web sites, create separate associated IdP Configuration documents for each participating Internet Site. For details, see the related topic on configuring SAML from the Internet Site document.
30
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
4. On the Basics tab, in the Host names or addresses mapped to this site field, enter a virtual name for the ID vault. It is recommended that you use a virtual DNS hostname with a differentiating string such as "vault", so that it will not be confused with a similar hostname on the network. The resulting hostname does not need to be defined in DNS. Restriction: If your Web server is using SSL, you must include an IP address after the virtual host name, separated by a semicolon. Important: The virtual host name you enter here should match what is entered in either the Host name(s) field on the Internet Protocols /HTTP tab in the Server document (if the ID vault is on the server that runs iNotes, or the Host names or addresses mapped to this site field of the corresponding Internet Site document to the ID vault server. In this way you can specify that the ID vault server should share the common identity provider partnership already established for the server running iNotes. For example, enter vault.us.renovations.com;n.nn.nnn.n . 5. In the IdP name field, enter a name to identify the Web site of the identity provider; the name does not have to be exact, and is only for your administrative convenience. For example, if the Renovations organization has a support site hosted by a third party who will serve as an identity provider, using the IBM Tivoli Federated Identity Manager, the administrator might enter Renovations Customer Support (TFIM). 6. In the Protocol version field, select the SAML version already configured for the partnership.
Important: SAML 2.0 is required if your federation is configured on Microsoft Windows ADFS. 7. Leave State for this Configuration document as Enabled (the default).
8. In the Federation product field, select either TFIM for IBM Tivoli Federated Identity Manager or ADFS for Active Directory Federation Services, depending on which federation service you intend to use for SAML authentication. The default is ADFS. 9. In the Service provider ID field, enter the string that identifies the virtual name for the ID vault as a service provider partner with the IdP. This string should be the the HTTP URL for the server running iNotes with virtual name for the ID vault, for example, https://vault.domino1.us.renovations.com. Note: The ID vault server does not need to be enabled for HTTP; only the server running iNotes does. If SSL is not configured at iNotes and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://vault.domino1.us.renovations.com. If you use ADFS for the IdP, SSL is required, so you would use https in the string. Important: An entry is required in this field to use the Create Certificate button on the Certificate Management tab. 10. Click Import XML file, and specify the metadata.xml file exported from the IdP. It is recommended that you leave intact the information supplied from the imported XML file. Note: If the federation is configured on ADFS, this file may have a slightly different name, for example, FederationMetadata.xml.
31
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table 1. Fields in the IdP Configuration document whose values are generated from the metadata.xml file
Field Artifact resolution service URL Description generates the artifact URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following artifact URL might be generated: https://tfim.renovati ons.com/FIM/sps/samlT AM20/soap. Single sign-on service URL If the data is available in the imported XML file, generates the login URL for the federation service you specified in the Product field. For example, for the Renovations organization, using TFIM, SAML 2.0, and SSL, the following login URL might be generated: https://tfim.renovati ons.com/FIM/sps/samlT AM20/logininitial. Note: The value in this field is a subset of the expected URL to the IdP. The server generates the full URL when necessary. Signing X.509 certificate Encryption X.509 certificate imports the certificate code from file. imports the certificate code from file. Note: This field appears only when the Type field is set to SAML 2.0.
32
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Description generates a string designating the protocol(s) for the SAML release specified in the Type field that are also supported by the specified IdP. This string will become part of authentication URLs provided by as the service provider to the IdP specified in this configuration document. For example, url.oasis.names.tc:SA ML:2.0:protocol.
11. If you are using SAML 2.0 and need to export a certificate from to use at the IdP, on the Certificate Management tab, perform all of the following substeps: a. Enter a Company name field to identify the certificate in the metadata file (idp.xml) to be exported. Use any string convenient to your administrators. This string should identify the ID vault server, for example, Domino RenovationsID Vault. Tip: The name does not have to match anything in the actual IdP configuration. However, the string does have to be compatible with the syntax of the idp.xml file; that is, it cannot include characters such as angle brackets (< or >). b. Click Create Certificate . If prompted, save the document, return to the tab, and click the button a second time. When creating the certificate, pre-pends "CN=" to the string in the Company name field and uses this name as the certificate subject. The name may be visible in the IdP configuration after the metadata file is imported. c. In the Domino URL field, enter a string to identify the fully qualified DNS virtual name for the ID vault in a URL of the server. For example, enter: https://your_iNotes_ virtual_name_for_ID_vault_SAML_service_provider_hostname The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to . Note: If SSL is not configured at and you are using TFIM for the IdP, this setting would include http instead of https, for example: http://vault.domino1.us.renovations.com.
33
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Note: You can use the string you entered in the Service Provider ID field on the Basics tab. d. In the Single logout URL field, enter a URL if the IdP requires one, for example if your federation is Tivoli Federated Identity Manager (TFIM 2.0). The TFIM IdP with SAML 2.0 configuration requires a single logout URL to be specified at the IdP and in the metadata file, even though does not currently implement a SAML 2.0 single logout feature. An example of a logout URL is: https://your_tfim_server.com/sps/samlTAM20/saml20 12. At the top of the form, click the Export URL button to save the created idp.xml file as an attachment to the document. Note: This button is visible only when a previously created idp.xml file is not already attached. 13. Save and close the IdP Configuration document.
What to do next If you use Internet Site documents, follow the steps in the related topics on them, to enable SAML and to specify the preferred session cookie. Note: If you later change the authentication type in the Internet Site document to remove SAML, your change has no effect to disable SAML unless this IdP Configuration document is either disabled or deleted.
34
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Procedure 1. From the Domino Administrator, open the ID vault application (idvault.nsf), which by default is stored in the IBM_ID_VAULT directory. 2. From the Configuration view, open the vault document for the vault that will be configured for SAML authentication. 3. In the Web federated login approved IdP configurations field, specify a host name. Enter a value from the Host names or addresses mapped to this site field of the IdP Configuration document that corresponds to a trusted IdP which is approved to log in the iNotes users in this vault. For example, if the Renovations organization has created an IdP Configuration document in the IdP Catalog for vault.domino1.us.renovations.com, which is in partnership with a trusted IdP, then the Web federated login approved IdP configurations field in the vault document would contain vault.domino1.us.renovations.com. 4. Save and close the vault document.
Using a security settings policy to apply a Web federated login configuration to iNotes client users
After SAML-based federated login is configured on your server and identify provider (IdP), you can assign its use to iNotes client users through the security policy. Before you begin For this task, you will use the security policy already deployed earlier in a previous task of this sequence for users of your ID vault. Before you can apply the policy to support federated login, you also need to export a copy of the Internet SSL certificate from your federation (ADFS or TFIM 2.0), import that certifier into your Directory, and cross-certify. For the procedure, see the related topic on creating an Internet cross-certificate. Procedure 1. In the Directory, open the existing Security Settings policy for users of your organizations ID vault. 2. On the ID Vault tab, make sure there is an assigned vault. 3. Select the Password Management -> Federated Login tab. 4. Select Yes for Enable Web federated login with SAML IdP . 5. Select Set value whenever modified for How to apply this setting . 6. Select No for Allow User Changes . 8. Save and close the security policy.
35
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Results For any user to whom the policy applies, the settings for federated login will be activated on the user's next login. What to do next Log in as a test user to confirm that Web federated login is enabled. To do so, open a browser and enter the URL for the Web server running iNotes, for example: https://domino1.us.renovations.com. Depending on the IdP configuration, the test user may first be redirected to the IdP's login page before mail is displayed in the browser. If SAML authentication is properly configured at the server, you will see the test user's mail displayed in the browser. If Web federated login is also properly configured, the test user should no longer see a password prompt for access to encrypted mail.
Serviceability
36
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
DEBUG_SAML=1 Use this parameter to trace general http processing. For example, you may want to check the SAML redirection URL or see what user is being authenticated. SAML Redirect URL [1108:000A-09DC] SAML1RedirectURL: https://yourservername.com/FIM/sps/saml TAM/saml11/login?TARGET=http://yourusername.yourservername.com/testdb.nsf SAML User name [1108:000A-09DC] SAML User - sec_master [1108:000A-09DC] SAML Timeout Before date: - 2011-09-13T15:43:04Z DEBUG_SAML=2 Use this parameter to get detailed information about what is going on in the SAML parsing code. This may help in determining how far long the parsing went before failing. SAML Parsing debug for above decoded SAML assertion: [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Reference size 33 : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Certificates size 2BC : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Digest size 1C : 0 [1108:000A-09DC] 09/13/2011 11:53:05.39 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Signature size AC : 0 [1108:000A-09DC] 09/13/2011 11:53:05.59 AM SECVerifySAMLSignature> DecodeB64 Dig est: 0 [1108:000A-09DC] 09/13/2011 11:53:05.59 AM SECVerifySAMLSignature> DecodeB64 Cer tificates: 0 [1108:000A-09DC] 09/13/2011 11:53:05.61 AM SECVerifySAMLSignature> DecodeB64 Sig nature: 0 [1108:000A-09DC] 09/13/2011 11:53:05.92 AM SECVerifySAMLSignature> GetInetCertif ierCertFromNAB: 0 [1108:000A-09DC] 09/13/2011 11:53:05.92 AM SECVerifySAMLSignature> Cert509_GetSu bjectPublicKeyInfo: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCreateKeyO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCreateAlgO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCryptoInit :0 [1108:000A-09DC] 09/13/2011 11:53:06.03 AM SECVerifySAMLSignature> SECCryptoUpda te: 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECVerifySAMLSignature> SECCryptoUpda te - Final : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECVerifySAMLSignature> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECSAMLVerifySignatureOnNode> SECVeri fySAMLSignature : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECSAMLVerifySignatureOnNode> Exiting :0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAML> SECSAMLVerifySignatureO nNode : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAMLAssertion> NotOnOrAfter : 2011-09-13T16:03:04Z : 0 [1108:000A-09DC] 09/13/2011 11:53:06.12 AM SECParseSAMLAssertion> NotBefore : 20 11-09-13T15:43:04Z : 0
37
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
[1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> NameIdentifier : sec_master : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> Audience : htt p://tboyd64.swg.usma.ibm.com : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAMLAssertion> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> SECParseSAMLAssertion : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Reference size 2C : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Certificates size 2BC : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Digest size 1C : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECMemo ryAllocAndZero Signature size AC : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Dig est: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Cer tificates: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> DecodeB64 Sig nature: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> GetInetCertif ierCertFromNAB: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> Cert509_GetSu bjectPublicKeyInfo: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCreateKeyO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCreateAlgO bject: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoInit :0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoUpda te: 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> SECCryptoUpda te - Final : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECVerifySAMLSignature> Exiting : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> SECVeri fySAMLSignature : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECSAMLVerifySignatureOnNode> Exiting :0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> SECSAMLVerifySignatureO nNode : 0 [1108:000A-09DC] 09/13/2011 11:53:06.14 AM SECParseSAML> Exiting : 0 DEBUG_SAML=4 Print errors that occured during http processing. For example: Unable to decode SAML token: 22:22 SECParseSAML failed with error: 22:22 DEBUG_SAML=8 If you are interested in looking at the decode SAML assertion on the console, use this parameter to help troubleshoot assertion issues.
38
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
DEBUG_SAML=15 If you are interested in looking at all the above SAML information on the console, use this parameter to help troubleshoot issues. DEBUG_SAML=31 If you need highly detailed troubleshooting information, particularly regarding lookup and management of information in idpcat.nsf, use this parameter.
39
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
entifier Format="urn:oasis:names:tc:SAML:1.0:assertion#emailAddress">sec_master< /saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasi s:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmatio n></saml:Subject></saml:AuthenticationStatement><ds:Signature Id="uuid637dd97e-0 132-1506-9d3e-bfa9f4b3f4df"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:Signat ureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureM ethod><ds:Reference URI="#Assertion-uuid637dd97d-0132-1840-81b4-bfa9f4b3f4df"><d s:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envelope d-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/x ml-exc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/ xml-exc-c14n#" PrefixList="saml"></xc14n:InclusiveNamespaces></ds:Transform></ds :Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"> </ds:DigestMethod><ds:DigestValue>T6D1z2RUdH/RpRJWeANFvjANKcg=</ds:DigestValue>< /ds:Reference></ds:SignedInfo><ds:SignatureValue>KezzHeyIBP/RmGe8H0LPgr/LE/EYglx IUO73qMQzTNPtp/vpbP3t34HrkCIDQ/9Y2z+F9XlgrG0jqEswzIegFjywX/J5lHoKdsz0RbvSqTR19F5 nIClJ3LdxR2PgBSC6/R7lVyiJhmyBLi62FN6kwdA7gbGtGk4MYnonRBSMLbM=</ds:SignatureValue 09Certificate>MIICBzCCAXCgAwIBAgIEQH26vjANBgkqhkiG9w0BAQQFADBIMQswCQYDVQQGEwJV Uz EPMA0GA1UEChMGVGl2b2xpMQ4wDAYDVQQLEwVUQU1lQjEYMBYGA1UEAxMPZmltZGVtby5pYm0 uY29tMB 4XDTA0MDQxNDIyMjcxMFoXDTE3MTIyMjIyMjcxMFowSDELMAkGA1UEBhMCVVMxDzANBgNVBAoT BlRpdm 9saTEOMAwGA1UECxMFVEFNZUIxGDAWBgNVBAMTD2ZpbWRlbW8uaWJtLmNvbTCBnzANBgkqhki G9w0BAQ EFAAOBjQAwgYkCgYEAiZ0D1X6rk8+ZwNBTVZt7C85m421a8A52Ksjw40t+jNvbLYDp/W66AMMYD7rB 5q gniZ5K1p9W8ivM9WbPxc2u/60tFPg0e/Q/r/fxegW1K1umnay+5MaUvN3p4XUCRrfg79OvurvXQ7GZa1 /wOp5vBIdXzg6i9CVAqL29JGi6GYUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBXiAhxm91I4m+g3YX +dy Gc352TSKO8HvAIBkHHFFwIkzhNgO+zLhxg5UMkOg12X9ucW7leZ1IB0Z6+JXBrXIWmU3UPum+Qxmla E0 OG9zhp9LEfzsE5+ff+7XpS0wpJklY6c+cqHj4aTGfOhSE6u7BLdI26cZNdzxdhikBMZPgdyQ==</ds:X 509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></saml:Assertion></saml p:Response>
40
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
In this beta release, there are changes and enhancements to return receipt behavior on both outgoing and incoming mail messages. For Notes client users, the administrator can configure the behavior through a combination of policy settings and NOTES.INI settings on the Domino server. The settings are configured entirely through NOTES.INI settings for IBM iNotes client users (see below). Outgoing messages (Notes client users ) The administrator can prevent client users from using settings for a return receipt on outgoing messages. Previously, administrators could control only default behavior of whether or not return receipts would be requested. Now an additional setting allows administrators to disable return receipt settings completely. On the Mail > Basics tab of Mail Settings policy documents, the check box is under Outgoing Mail Checking: Do not allow users to set return receipt . After administrators apply this setting by policy, the following elements appear dimmed for client users:
z z
the Return receipt check box in the Delivery Options dialog box the Send me a Return Receipt when recipients read mail I send check box on the Mail > Basics tab in Mail Preferences (Notes client users only; iNotes users do not have this preference) the Return receipt check box at the top of a mail message (visible if the client user selects Display->Additional Mail Options)
Incoming messages (Notes client users ) By default, when a Notes client user receives an incoming message requesting a return receipt, if Do not allow users to set return receipt has been set in a policy that applies to the user, the user now sees this prompt:
The administrator can prevent this prompt from appearing at all for Notes client users, and also choose whether to send a return receipt on such incoming messages without the users' knowledge, or send no receipt. The following parameter prevents the prompt from appearing and sends a return receipt:
ReturnReceiptDisabled_AlwaysSend=1
The following parameter prevents the prompt from appearing and sends no return receipt (the return receipt item is stripped from message).
ReturnReceiptDisabled_NeverSend=1
41
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
iNotes client users In this beta release, you can set a server NOTES.INI parameter to show (or suppress) a similar prompt for iNotes client users that appears by default. The prompt lets the user choose whether to acknowledge a request for a return receipt on an incoming message. If you do not set the NOTES.INI parameter, the prompt always appears when the user receives such a request.
z
iNotes_WA_SendReturnReceipt=2 Displays a prompt giving the iNotes user the choice whether to acknowledge a request for a return receipt. iNotes_WA_SendReturnReceipt=1 Always sends a return receipt; does not notify the user. iNotes_WA_SendReturnReceipt=0 Never sends a return receipt; does not notify the user.
z z
In this beta release, you can specify the names of server groups in the Servers to run on field in the Program document. Any server group name that you use must be a Server only type of group (not a multi-purpose group). You can now also use a pattern-matching character in the Servers to run on field. A pattern-matching character -- the question mark (?) -- allows you to include all servers where one or more subsequent characters in the server name vary, for example: Sales??/Renovations includes Sales01/Renovations, Sales02/Renovations, and so on. An additional pattern-matching enhancement is now provided: You can use an asterisk (*) anywhere within a group name; you are not limited to the leftmost component of the hierarchical name. For example: Sales*/Renovations includes Sales001/Renovations, Sales002/Renovations, and so on.
IBM HTTP Server (IHS) can now run on the same computer as a Domino server and support Transport Layer Security (TLS)
Domino has the option of running the IBM HTTP Server on the same computer as a Domino HTTP server; the purpose of this enhancement is to support the Transport Layer Security (TLS) protocol. Note In this beta release, this IHS server module is supported only on Windows. In this beta release, a pass-through reverse proxy module named mod_domino is provided to forward HTTP requests to the Domino HTTP server. The pass-through reverse proxy module creates the context necessary to have the Domino HTTP server provide the HTTP request context expected by Domino Web applications, as if the Domino HTTP server were in direct contact with the browser client. Using the proxy module allows an IHS server to run "in front of" the Domino server.
42
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Installing the module 1. Start the installation of the Domino server. 2. Under Choose the installation type that best suits your needs , select Customize Domino Server . 3. Under Select the features for "Lotus Domino" you would like to install , enable the check box IBM HTTP server (installed). 4. Complete the installation, but do not start the server yet. Configuring the IBM HTTP server to reside on the same computer as the Domino HTTP server The IBM HTTP server configuration file that is used to start the IBM HTTP server is named domino.conf and is located in the Domino Program directory under the ihs\conf subdirectory. The installation does not assume any port configuration. By default all listen ports are disabled in the domino.conf file. You must enable any listen ports you want the server to use. 1. To allow the IBM HTTP Server to accept HTTP connections, enable normal HTTP port 80, and remove the comment character (#) for the following line(s) in the domino.conf file: # IPv4 support: #Listen 0.0.0.0:80 # Uncomment the following line for IPv6 support on Windows XP or Windows # 2003 or later. Windows IPv6 networking must be configured first. # Listen [::]:80 Example (section showing port 80 enabled for IPv4): # IPv4 support: Listen 0.0.0.0:80 # Uncomment the following line for IPv6 support on Windows XP or Windows # 2003 or later. Windows IPv6 networking must be configured first. # Listen [::]:80 2. To allow the IBM HTTP Server to accept HTTP SSL connections, enable the SSL/TLS port 443, and remove the comment character (#) for the following line(s) in the domino.conf file: # To enable ssl, uncomment and add/change the # appropriate directives #Listen 0.0.0.0:443 ## IPv6 support: #Listen [::]:443 #<VirtualHost *:443> #SSLEnable #SSLClientAuth optional #SSLProtocolDisable SSLv2 #SSLProtocolDisable SSLv3 #</VirtualHost> #KeyFile <domino_program_directory >/ihs/ihsserverkey.kdb #SSLDisable Example (section showing port 443 enabled for IPv4 with a SSL keyring file located on d:/keys/myserver.kdb): Listen 0.0.0.0:443 ## IPv6 support: #Listen [::]:443 <VirtualHost *:443>
43
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
SSLEnable SSLClientAuth optional #SSLProtocolDisable SSLv2 #SSLProtocolDisable SSLv3 </VirtualHost> KeyFile d:/keys/myserver.kdb SSLDisable # 3. To prepare the server to accept SSL/TLS connections, configure the SSL/TLS key database. Use the ikeyman utility provided with the IBM HTTP Server, and located in the Domino Program directory under ihs\bin, to create and configure the key database. 4. After the key database is created, make sure the KeyFile directive in the portion of the domino.conf file shown above points to the fully qualified file name of the key database. Note For an existing Domino server, the Domino key ring file cannot be used as a key database, and all necessary certificates that exist in the Domino key ring file must be re-imported from the originating Certificate Authorities into the IBM HTTP Server key database. See the following link for more information on the configuration of SSL/TLS in the IBM HTTP server: Guide to properly setting up SSL within the IBM HTTP Server
Configuring the Domino HTTP server to start, stop, and run the IBM HTTP server
In the NOTES.INI file on the Domino server, add the following parameter: HTTPIHSEnabled=1 This setting changes the Domino HTTP server to behave as follows:
z z
The setting disables the usual ports configured in the Domino Directory (these are most often HTTP port 80 and the HTTPS port 443). The Domino HTTP server connection settings are overridden with settings that maximize the re-use of connections between mod_domino/IBM HTTP Server and the Domino HTTP server. By default, the Domino HTTP server listens on port 9288 for loop back connections from mod_domino/IBM HTTP Server. The Domino HTTP server only accepts connections that originate from the same computer. By default, mod_domino uses the local loop back address of 127.0.0.1 to connect to the Domino HTTP server. Both server processes must run on the same computer.
44
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
This setting cannot be changed . DOMINO_SERVER_NAME=foo.swg.usma.ibm.com. Set to the fully qualified tcp name of the machine the Domino Server is installed on. This setting cannot be changed. DOMINO_DOCUMENT_ROOT=c:/domino/data/domino/html. Set to the document root where Domino html files are located. This setting cannot be changed. DOMINO_DOCUMENT_DIRECTORY=c:/domino/data/domino. Set to the base directory where Domino file system files may reside This setting cannot be changed. DOMINO_PORT=9288. Set to the port number that the Domino Web Server listens on for connections from mod_domino. The default port is 9288. This setting can be changed by setting the following notes.ini value. HTTPConnectorPort=<port number> DOMINO_MAX_REQUESTLINE=4108. Set to the maximum request line length, this setting is derived from Maximum URL length: field on the http tab in the name and address book. A fix number of bytes is added to account for the HTTP method and HTTP protocol strings. DOMINO_TECH_SUPPORT=c:/domino/data/IBM_TECHNICAL_SUPPORT. Set to the domino technical support directory. This setting cannot be changed. DOMINO_RESPONSE_TIMEOUT=300. Set the amount of time in seconds that mod_domino plugin will wait for the initial response from the Domino HTTP server. The default is 300 seconds for a non-traveler server. For a traveler server this setting is set to the Heartbeat Algorithm Maximum Interval: field on the Lotus Traveler tab in the name and address book. This setting can be changed by the following notes.ini HTTPIHSModDominoResponseTimeout=<time out value in seconds>
45
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
DOMINO_THREADS=120. This value is set to the number of Domino threads multiplied by three (3) for the optimal threads to connections between mod_domino and the Domino HTTP server. This is the default for non-traveler servers. For Lotus Traveler Servers this number is set to the same number of threads as the Domino HTTP server. This setting can be changed by the following notes.ini, however the general recommendation is to leave it alone unless there is a use case that requires a change. HTTPIHSThreads=<number of IBM HTTP Server threads>
Serviceability settings
You can use a NOTES.INI setting to display environment variables that are used in the domino.conf configuration file. Add the following parameter to the NOTES.INI file: HTTPIHSDebugStartup=1 Example output: [06F4:0002-13C4] Set IHS config environment var DOMINO_IHS_ROOT=C:/domino/ihs. [06F4:0002-13C4] Set IHS config environment var DOMINO_SERVER_NAME=envy.swg.usma.ibm.com. [06F4:0002-13C4] Set IHS config environment var DOMINO_DOCUMENT_ROOT=c:/domino/data/domino/html. [06F4:0002-13C4] Set IHS config environment var DOMINO_DOCUMENT_DIRECTORY=c:/domino/data/domino. [06F4:0002-13C4] Set IHS config environment var DOMINO_PORT=9288. [06F4:0002-13C4] Set IHS config environment var DOMINO_MAX_REQUESTLINE=4108. [06F4:0002-13C4] Set IHS config environment var DOMINO_TECH_SUPPORT=c:/domino/data/IBM_TECHNICAL_SUPPORT. [06F4:0002-13C4] Set IHS config environment var DOMINO_RESPONSE_TIMEOUT=300. [06F4:0002-13C4] Set IHS config environment var DOMINO_THREADS=120.
46
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The settings are located under the following registry key. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Value Name: Value Data: Value Name: Value Data: TcpTimedWaitDelay 30 - Should set the value to the minimum value of 30 MaxUserPort 65534 -- Should be set to the maximum value of 65534
Modifying local firewall software Lab testing has found that some firewall software running on the server may prevent and/or limit the number of loop back connections that can be made between the mod_domino plugin and the Domino HTTP server. It may be necessary to remove or configure local firewall software not to interfere with the operation of this plugin.
The Fault Analyzer task has been enhanced. Using a disposition value, fault reports are sorted in a new view to help explain the type of issues encountered and to allow administrators to focus on the reports important to them. Each fault report in LNDFR.NSF may be assigned a single disposition value. The new by Disposition view categorizes the documents, with the following top-level categories:
z z z z z
Problem Possible Problem (possibly actionable ) Possible Problem (likely NOT actionable ) Informational Unknown (investigate)
Note: A document categorized as Unknown (Investigate) does not have a disposition value. Problem category The fault reports in this category have sufficient information to match their crash stacks against previously reported crashes, and the crash is not one of the special cases listed in the Possible Problem (possibly actionable) category.
47
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Possible Problem (possibly actionable ) category The fault reports in this category have sufficient information to investigate the problem, but are not likely to result in action that the administrator should take.
Table: Subcategories for a Possible Problem (possibly actionable)
Dispositions Launched Notes multiple times Possible Hang Description Indicates that the user quickly launched multiple instances of the Notes client, resulting in a hang during Notes startup. In Notes 8.5.2 FP2 and Notes 8.5.3 (SPR #MLAT87XSS7), the situation is detected, the first launch succeeds, and the subsequent ones have no effect. Indicates that the Notes client was manually terminated while it appeared to be doing useful work. It is recommended that you use the NSD a -hang to help determine if the client is actually progressing or is hung. If a similar active stack occurs in many reports, that information should be provided to IBM for further investigation. Represents a crash in which the Java virtual machine (JVM) ran out of a memory resource such as heap space. Analyzing the attached Javacore file can help investigate the objects consuming the heap. IBM provides tools such as ISA and HeapAnalyzer to analyze this type of problem. See the IBM SDK Java Technology Edition Version 7 information center ( http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp) for more information Java troubleshooting. Indicates that the Notes client failed to launch properly because a previous process called NotesInit() and terminated normally without calling NotesTerm(). The crash occurs when the client attempts to attach to previously allocated shared memory. This previous process could be an application provided by IBM, a third party application, or a user-written application. Since Notes supports extensions through plug-ins or the extension manager, the Notes process might be identified while the erroneous code might be in a third-party plug-in or extension. After the crash, the client launch will launch without errors. The common occurrences reported by users in this situation included the Notes preloader (fixed in Notes/Domino 8.5.2 FP4 by SPR ATHN8DQD8D), IBM Traveler (fixed), and a third-party application with a work around documented in IBM TechNote #1417172, Lotus Notes 8.5.x crashes on NCExtMgr.MainEntryPoint ( https://www-304.ibm.com/support/docview.wss?uid=swg21417172). In Notes 8.5.3, Fault Analyzer was enhanced to identify the previous process which caused the problem. If Fault Analyzer is able to determine the erroneous process, it inserts the name of the executable which did not perform the NotesTerm() in the crash stack. See theBadProcess. exe listed below, where theBadProcess represents the name of the problem executable. ... AccessAllProtected AccessAll Access LockMem AccessSHTChunksInt OSMemGetFaultHandle OSLockPool theBadProcess .exe << the executable name inserted by FaultAnalyzer OSLockVPool OSInitWaiterSemProcess ... The source code for theBadProcess .exe should be scanned for a missing NotesTerm.
48
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Dispositions User Kill - Client appears idle User Kill Performing network I/O Process did not balance Notes API Init/Term Process missing NSD defect resulted in incomplete data
Description Indicates that the user manually terminated the client while it appeared to be waiting for input. Indicates that the user manually terminated the Notes client while waiting for a network operation to complete. It is recommended that if this occurs frequently in the same situation, that information be provided to IBM to explore mechanisms to mask the delay from the user. Indicates that a previous process abnormally terminated without doing balanced OSInit/OSTerms. The most likely causes are that the process crashed and did not trigger an NSD Indicates that the NSD data is incomplete.
Possible Problem (likely NOT actionable ) category The fault reports in this category do not contain sufficient information to investigate the problem. However, IBM is constantly improving its data collection techniques, and fault reports on similar crashes in the future will be likely to contain more necessary information.
Table: Details of the dispositions in this category
Disposition Crash identified but NSD/Javacore missing Crash process not found in NSD Had NSD or Javacore but no stacks were extracted No Notes Processes are running 1. No NSD or Javacore Notes2 exited with code=0 Notes2 missing Notes2 User Kill 1. NSD prematurely terminated by user Notes2 terminated by call to System.exit() Description The console log was used to identify that a crash occurred but there is no NSD or Javacore from which to extract a crash stack. The crash process was identified but the crash stack is not in the NSD. An NSD or Javacore is available but fault analyzer was unable to extract the crash stack from it. An NSD is available but it does not contain any Notes processes. Neither an NSD nor Javacore is available. Notes2 unexpectedly exited normally. Notes2 was missing for an unknown reason. Notes2 was manually terminated by the user. NSD was terminated by the user before necessary data was collected. Some unknown Java code called System.exit() which terminated the Java virtual machine. This code should be identified and changed. Nlnotes terminated for an unexplained reason.
49
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Informational category The reports in this category require no action. Either the faulting computers are configured not to mail attachments to the fault reports database, or a user took some manual action to send information from a running system.
Using the Quality of Service (QoS) feature to help keep Domino servers available
Quality of Service, or QoS, is a feature in this release designed to react to the general operation of a Domino server in order to keep that server up and functioning reliably at all times. If QoS detects that a server is not responding or hung, QoS probing can be configured to email an administrator about the problem and/or automatically terminate the server and restart it. QoS log information can also be useful for analysis by IBM Support. Caution In this beta release, QoS and fault recovery should not be enabled at the same time. Important If QoS (re)starts a server that has a password on the server.id file, the server will not start until an administrator connects to the console on that server and enters the password. Therefore, if you want QoS to be able to (re)start Domino without intervention on a specific server, for example at inconvenient times when an administrator is not available for a manual password entry, do not use a password on the server.id file on that server. QoS requires that the Domino server be run under the java controller (run the server using java console: 'nserver -jc'). On Windows systems, use 'nserver', and on all other platforms use 'server').
50
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Caution For the followed six INI values, all described below, if you do not configure the value, or configure it as less than the default, the default value applies. You can only change the value to be greater than the default.
z z z z z z
Enabling QoS when starting Domino Install this beta release of Domino. Start, and then stop, the Domino server. Open a command prompt and navigate to the directory Domino where Domino is installed. At the command prompt, run 'nserver -jc' to start the server and server console. At the command prompt, run 'nserver -jc -q -y' to stop the server and server console. This action creates the initial dcontroller.ini file in the server's data directory. 6. Add the following setting to the dcontroller.ini file: QOS_ENABLE=1 7. Add the following setting to the Domino server notes.ini file: QOS_ENABLE=1 When issuing the (n)server command -jc runs the java console. The -q option quits immediately after startup has completed, and the -y answers 'yes' to the quit verification. Verifying that QoS is running If you are the not the administrator who enabled QoS, you can verify the correct setup by checking for the following settings: In the notes.ini file: QOS_ENABLE=1 In the dcontroller.ini file (all but the first are optional): QOS_ENABLE=1 QOS_MAIL_TO=email address to send notifications to QOS_MAIL_SMTP_SERVER=name of server to use when sending notifications through SMTP QOS_NOKILL=1 - When this is set to 1, it stops QOS from killing the server when an event is triggered QOS_MAIL_ATTACH_LOGS=1 - If a notification is sent, a setting of 1 attaches the NSD logs 1. 2. 3. 4. 5.
51
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Configuring QoS The qosprobe addin task can be configured with the following settings on the Domino server in the server NOTES.INI file:
z z
QOS_PROBE_INTERVAL=n The probe interval in minutes. This can be set in the notes.ini. The default is 1 minute. QOS_PROBE_TIMEOUT=n The probe timeout in minutes. This can be set in the dcontroller.ini. The default is 5 minutes.
Note QOS_PROBE_TIMEOUT should be much greater than QOS_PROBE_INTERVAL. If the timeout occurs before the probe is set to respond, the server will be restarted constantly. The server controller monitors a message queue to which the qosprobe addin communicates its probing results. (SUCCESS, ERROR, TIMEOUT). The messages are captured in the qosctnrlrtimestamp .out file found in the server data directory. The following is an example of a SUCCESS message: 2010/01/07 07:42:56 QoS Probe: SUCCESS (88ms) The following is an example of an ERROR message: 2010/01/07 08:05:59 QoS Probe: ERROR: ProbeError=4803 When the QoS server is enabled, on TIMEOUT, the controller will smart kill the server and restart. A timeout can happen in either of the following cases:
z z z z
The NSFDbOpen or NIFOpenCollection calls used by the probe return Domino's ERR_TIMEOUT error. This error is sent to the controller and a smart kill/restart is initiated. The controller does not receive a message from qosprobe within the timeout period ( QOS_PROBE_TIMEOUT). This can happen in one of the following ways: qosprobe was told to quit ('tell qosprobe quit') or is not running. qosprobe becomes hung while probing.
If the controller receives a probe timeout, it may not initiate a server kill/restart because long running and/or load intensive operations are running (and thus may have caused the probe to time out). These operations include BACKUP, COMPACT, DBCOPY, FIXUP and DBPURGE. In these cases, you see the messages like the following ones in the qoscntrlrtimestamp .out file: 2010/01/07 07:42:56 QoS Controller: The controller has received a probe timeout. 2010/01/07 07:42:56 QoS Controller: There are long running applications probing will pause until they have completed. If this condition is detected, the controller will then allow the lengthy ("long-running") operation more time to complete. If any lengthy operation fails to complete within that amount of time, the controller will then proceed with the smart kill/restart. You see a message like the one in the following example in the qoscntrlrtimestamp .out file: 2010/01/07 07:42:56 QoS Controller: Applications are not making progress.
52
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Pausing and resuming QoS QoS provides a mechanism to pause or resume the QoS service at a specific time. Pausing QoS avoids allowing the server to be killed during an option that is expected to take a long time or that is critical to server operation; examples are backups or other maintenance operations. Temporarily disabling QoS allows these operations to complete without being misinterpreted by QoS as a server problem. To pause QoS probing, use the following command at the Domino server console: tell qos pause With this pause, only the QoS probe is running; it will not kill or restart the Domino server To resume QoS probing, use the following command at the Domino server console: tell qos resume Limiting QoS restarts QoS provides the option to limit the QoS restart times during one interval. When the restart times reach the time limitation, the QoS service is deactivated. The following parameters are set in the dcontroller.ini file. QOS_RESTART_LIMIT_ENABLE= Determines whether to enable the restart limitation. The default is 0. QOS_RESTART_LIMIT_MAXIMUM= Set the maximum restart times during specific interval(set by QOS_RESTART_LIMIT_PERIOD). The default is 3. QOS_RESTART_LIMIT_PERIOD= Restart time limitation interval; QoS allows only the restart times during this period. The default is 30 minutes. Running QoS with a no kill option You can run QoS with a no kill option. When QoS detects server exceptions, it sends a single email to a specified administrator with notification of the exception instead of killing and restarting the server directly. (You can also set QoS to send mail to an administrator whether or not you enable the no kill option.) The following parameters are set in the dcontroller.ini file. QOS_MAIL_TO= Administrator mail address. QOS_MAIL_SMTP_SERVER= SMTP mail server ip and SMTP port with the format <server ip>:<port> QOS_NOKILL= Whether to enable no kill option. Set to 1 to enable the option and 0 to disable it. QOS_MAIL_ATTACH_LOGS= Whether to attach logs in the mail sent to administrator Important The QOS_MAIL options do not support a user name/password combination. The specified SMTP server must accept mail without password authentication.
53
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Running QoS with other configuration options The following parameters are set in the dcontroller.ini file. QOS_DISABLE_PROBING=1 Disable all QoS probing. QOS_SHUTDOWN_TIMEOUT= The length of time a shutdown is allowed to take before QoS will smart kill the server. The default is 5 minutes. QOS_RESTART_TIMEOUT= The length of time a server restart is allowed (including RM restart) to take before QoS will smart kill the server. This time starts *after* the server is completely down (clean). The default is 5 minutes. QOS_APPS_TIMEOUT= The length of time a long running application is allowed to continue without showing progress before QoS smart kills the server. The default is 10 minutes. QoS kill events The following is how the server and server controller should behave during kill events.
z z z
'nsd -kill' does not produce an nsd. It produces only a kill_* file. If and only if the server is due to be restarted, the controller generates its own 'nsd -stacks' for troubleshooting purposes. With QoSShutdownNSD=seconds set in the notes.ini, an 'nsd -stacks' is generated every QoSShutdownNSD seconds if the server has not come down cleanly within QoSShutdownNSD seconds. This notes.ini setting is used for troubleshooting servers that are taking too long to shut down.
Controller action server is killed after 5 minutes and restarted server is killed after 10 minutes and restarted server is killed and restarted server is killed and restarted server is killed and restarted server is killed and restarted server is restarted after 5 minutes server is killed after 5 minutes server is killed after 5 minutes and restarted server is killed and restarted Configurable? dcontroller.ini:QOS_PROBE_TI MEOUT=minutes dcontroller.ini:QOS_APPS_TIM EOUT=minutes no no no no no dcontroller.ini:QOS_SHUTDOW N_TIMEOUT=minutes dcontroller.ini:QOS_RESTART_ TIMEOUT=minutes no
Event probe (qosprobe) timeout * long running applications timeout ** server runs out of shared handles server runs out of session tables server runs out of net memory server runs out of shared memory handles server crash/panic while running server takes too long to shutdown ('quit') server takes too long to restart ('restart server') The server process has terminated abnormally
* - timeout indicates that the qosprobe server addin is unable to open the server's names.nsf ($Servers view) successfully within QOS_PROBE_TIMEOUT milliseconds.
54
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
QoS failover trigger A QoS smart kill can have a server down for up to 20 minutes. Total downtime can include an approximately 5-minute detection of a probe timeout, the running of nsd to collect data on all processes (~3 minutes), the killing of the server(~1-2 minutes), and the restarting (including gating task time - up to 10 minutes). Any new requests designated to process on a server that QoS is set to will immediately fail over to a clustermate within seconds of the moment that QoS detects that the server should be smart killed. Note Since we care about failover only when the server is known to be up, running, and processing, the fast failover feature is not used in the following smart kill scenarios: z server shutdown is taking too long z server restart is taking too long z the server has crashed and QoS needs to clean up after the crash Note You can disable the StaticHang mechanism by using the notes.ini setting QOS_DISABLE_FAILOVER_TRIGGER=1. With this set, the triggerImmediateServerFailover file will still be created and deleted, but the server will not StaticHang to force failover. QoS controller log file You will find a new log file in the Domino server's data directory. The QoS controller log file contains details corresponding to various events as captured or processed by the QoS controller, events relating to QoS probing, hygienic server restart, server crashes, QoS smart kills, and other miscellaneous events. This document will describe this log file, how it works, and how to properly read it when troubleshooting an event in the service. Note You may also want to provide IBM support with the log file if you are troubleshooting a server problem with them.
55
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
2012/08/06 06:33:34 QoS Controller: QOS_NOKILL=false 2012/08/06 06:33:34 QoS Controller: QOS_MAIL_TO=test/ibm 2012/08/06 06:33:34 QoS Controller: QOS_MAIL_SMTP_SERVER=xx These items, along with some other basic items, can be configured in the Domino controller ini file ( dcontroller.ini), found in the server's data directory. The rest of the file from this point on contains a log entry for each message sent to the QoS controller by the server or one of its tasks. These messages have the format: 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev ObjectType2=ProcessName ObjectValue2=nserver TimeDate=20120508T001506,95-04 2012/05/08 00:15:09 QoS Controller: OpMsg=START Type=SERVER TimeDate=20120508T001507,40-04 2012/05/08 00:15:21 QoS Controller: OpMsg=READY Type=SERVER TimeDate=20120508T001517,92-04 All messages logged to the QoS controller log file have a timestamp. If the QoS controller logs the message, it has the format: TimeDate=20120508T001506,95-04 If one of the QoS controller's other threads logs a message to the log file, it has the format: 2012/05/08 00:15:21 QoS Probe: <message> 2012/05/08 00:15:21 QoS Applications: <message> 2012/05/08 00:15:21 QoS Kill: <message>
56
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
QoS probing
Long-running applications
Example of what log shows 2012/05/08 00:45:22 QoS Controller: OpMsg=END Type=SERVER ObjectType=Detail ObjectValue=Quit TimeDate=20120508T004516,01-04 2012/05/08 00:45:22 QoS Controller: Deactivating probe... 2012/05/08 00:45:22 QoS Controller: QoS Probe deactivated. 2012/05/08 00:45:26 QoS Controller: OpMsg=END Type=QOS ObjectType=ServerName ObjectValue=CN=rc45/O=dev TimeDate=20120508T004523,51-04 2012/05/08 00:45:27 QoS Applications: Clearing long running apps list 2012/05/08 00:15:21 QoS Controller: Activating probe... 2012/05/08 00:15:21 QoS Controller: QoS Probe activated. 2012/05/08 00:15:21 QoS Probe: Starting qosprobe... 2012/05/08 00:15:25 QoS Probe: OpMsg=START, Type=PROBE 2012/05/08 00:16:25 QoS Probe: The QoS Probe is probing. 2012/05/08 00:16:25 QoS Probe: SUCCESS (156ms) 2012/05/08 00:17:25 QoS Probe: SUCCESS (16ms) 2012/05/08 00:18:25 QoS Probe: SUCCESS (31ms) 2012/05/08 00:19:25 QoS Probe: SUCCESS (16ms) 2012/05/08 00:20:26 QoS Probe: SUCCESS (15ms) 2012/05/08 00:38:32 QoS Controller: OpMsg=START Type=FIXUP ObjectType=DB ObjectValue=C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf TimeDate=20120508T003826,18-04 2012/05/08 00:38:32 QoS Controller: OpMsg=END Type=FIXUP ObjectType=DB ObjectValue=C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf TimeDate=20120508T003829,79-04 2012/05/08 00:38:32 QoS Applications: Adding FIXUP[C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf] to long running apps list 2012/05/08 00:38:32 QoS Applications: Removing FIXUP[C:\Program Files\IBM\Lotus\Domino\Data\ddm.nsf] from long running apps list ... 2012/05/08 00:47:42 QoS Controller: OpMsg=START Type=COMPACT ObjectType=DB ObjectValue=events4.nsf TimeDate=20120508T004740,23-04 2012/05/08 00:47:42 QoS Controller: OpMsg=END Type=COMPACT ObjectType=DB ObjectValue=events4.nsf TimeDate=20120508T004740,23-04 2012/05/08 00:47:43 QoS Applications: Adding COMPACT[events4.nsf] to long running apps list 2012/05/08 00:47:43 QoS Applications: Removing COMPACT[events4.nsf] from long running apps list
57
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
OpenSocial component
The OpenSocial component provides social and web features to make third-party processes available directly in the client user's mail. the OpenSocial component supports:
z z z
iNotes Widgets and LiveText OpenSocial 2.0 Gadgets in the sidebar, pop-ups, and anywhere Notes and iNotes previously made widgets available Embedded Experiences in Notes and iNotes
If Notes clients have the OpenSocial features installed, the Domino OpenSocial component configuration is required. The OpenSocial component is deployed and configured on two server components: a Domino mail server, and another Domino server running Shindig, both with Domino 9.0 Social Edition installed. In addition, the Domino mail server supports iNotes and hosts the widgets catalog, and the Domino server running Shindig hosts the credential store application. In this beta release, you can deploy these two components either on a single Domino server or as two separate Domino servers. Clustering of either component is not supported in this beta release.
58
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Setting up the Domino mail server for the OpenSocial component Complete the following steps to create the widget catalog application. Important If you already have a widget catalog application, you do not need to create one, but you do need to replace its design from the toolbox.ntf template supplied with the current beta release of Domino 9.0 Social Edition.
Procedure
1. Open the IBM Domino 9.0 Social Edition Administrator client and connect to the server where you want to create the catalog. 2. Click Files. 3. Click File > Applications > New. 4. Select the server (not Local). 5. Enter an application Title -- for example, Widget Catalog. 6. Enter a unique file name. Note You need this file name later, so make note of it. 7. In the Specify Template for New Application section, select your server (not Local). 8. Select Show advanced templates . 9. Select Widget Catalog (9). 10. Verify that the File name field contains toolbox.ntf. 11. Click OK. Configuring the widget catalog application Complete the procedures below to configure ACLs and roles, enable agents, and (optional) to set launch options.
59
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Enabling agents in the widgets catalog Enabling certain agents is required to enable OpenSocial widget functionality.
Ensure that you have appropriate rights to enable agents on the Server document, Security tab, Programmability Restrictions section. At minimum, enable the Sign or run restricted LotusScript/Java agents option.
Procedure
1. 2. 3. 4. Open the Widget Catalog in the classic (non-XPages) view. Click View > Agents. If IBM Domino Designer is installed, Designer opens. Select each agent listed in Table: Agents (below) and select Enable. Specify the server on which the widget catalog application is deployed; the agents should all run on the same server.
Table: Agents
Agent CalcDownloads CalcRatings CalcTags CreateStatisticRDoc RmDupRatingR2R PushToCredStore Description Ensures that widget documents display the updated number of user downloads. By default, this agent runs every 5 minutes. Ensures that widget documents display the updated average user rating. By default, this agent runs every 5 minutes. Ensures that widget documents display the updated list of tags created by users. By default, this agent runs every 5 minutes. Ensures that a statistic response document is created for each widget. By default, this agent runs daily. Ensures any duplicate rating response-to-response document from the same user is removed. By default, this agent runs daily. Pushes widget proxy rules and capabilities to the credential store. By default, this agent runs every hour, but runs immediately if you are approving a widget on the master server.
What to do next
After the agents are enabled, during the procedure for configuring the credential store (below), be sure to give yourself the [Admins] role in the ACL of the credential store application (credstore.nsf).
60
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Setting launch options for the widget catalog After you have finished configuring the widget catalog application, you can set its launch options to the XPages user interface. In release 9.0 Social Edition, XPages is the preferred user interface for widgets in both Notes and iNotes clients, providing all with the same experience when using the widget catalog. Tip There is no XPages user interface in the catalog application for approving and signing widgets. However, after you change the launch options to those in the procedure above, you and other administrators can still see the classic user interface and have the Review button available for approving and signing widgets. To do so, open the catalog in the Administrator client without the Notes client running. 1. Select the new database, right-click and select Properties. 2. Click the icon for launch options. 3. Under When opened in the Notes client , select Open designated Frameset and select the Toolbox-MainFrameset-XPage frameset.. 4. Under When opened in a browser , select home.xsp as the XPage. For additional details on XPage launch options, see the following technote: Widgets catalog as an XPages application
Setting up the Domino server to run the OpenSocial component and Shindig For complete information on the credential store, see the 9.0 Social Edition focus feature Using a credential store to share credentials.
61
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
8. Open the credential store application as a widget catalog administrator and open the Configuration view. 9. Click Create encryption key . 10. Click Create new encryption key and click OK.
Creating a configuration settings document for all servers that run Shindig
Before you begin z The Domino 9.0 Social Edition Administrator client must have $ENABLE_EE=1 in the notes.ini file. z The Domino Directory on the servers running Shindig must be using the Domino 9.0 Social Edition pubnames.ntf template. Procedure 1. Open the Domino Administrator client. 2. Select File > Open Server and open the Domino server running Shindig. 3. Click Configuration, and then click Server > Configurations. 4. Click Add Configuration to create a new configuration settings document. 5. On the Basics tab, in the Group or Server name field, enter the name of a server that runs Shindig or the name of a group containing all servers that run Shindig. 6. Click Social Edition. 7. On the Basics tab, complete the fields for the locked domain and unlocked domains based on your deployment topology. Locked and unlocked domains are used if your organization has iNotes clients. z For examples of strings to enter, see the pop-up help on the form. z For more details, see the topic Understanding and configuring locked domains below under Configuring the OpenSocial component for iNotes clients. 8. Set the Shindig server(s) host name field by entering the host name of the server. Important This host name should be the same host name used to register callback URLs for any OAuth 1.0a or OAuth2 services. 9. (Optional) Set the cache fields. These can be left blank to use the defaults. 10. (Optional) On the Advanced tab, configure settings for both shindig.properties and container.js. These settings map directly to settings used in the configuration files of the same name in Apache Shindig. Configuring the OpenSocial component for iNotes clients Several configuration changes are required to support the OpenSocial component features in iNotes.
62
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Configuring automatic updates for widgets As with widgets in Notes, you can use a policy to push widgets to iNotes users automatically.
Procedure
1. Enable these two required notes.ini file settings in the notes.ini file on the mail servers to enable automatic updates for widgets. Note: These notes.ini file settings are server wide settings as opposed to policies. Policies are used per user on every server, but if there is a server that needs to disable EE or Live Text, use these notes.ini file settings to do so. 2. Add the OSGi Tasklet Server (DOTs) server task to the ServerTasks notes.ini file on the server using the ServerTasks= notes.ini file setting. For example, enter ServerTasks=Update,Replica,Router,AMgr,AdminP,CalConn,Sched, HTTP,LDAP,RnRMgr,DOTS This starts DOTs automatically when the server starts.
63
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Configuring policies for the OpenSocial component You can use an existing policy or create new policy and settings documents for OpenSocial component users. The policy for iNotes can overlap and share the same settings documents used by the Notes OpenSocial component configuration. For more information about configuring Widgets with a policy, see Controlling Widgets and Live Text access using Domino policy.
The administration process (AdminP) runs every 12 hours to push these policies to iNotes users. AdminP runs on the home mail servers for each user. To force the push, from the Domino server console, enter the command tell adminp process mail on each home mail server. You can also use the notes.ini file setting ADMINP_POLL_INTERVAL=<time in minutes> to process mail policy at intervals other than the default 12 hours. Note: This notes.ini setting processes every mail file on your system and can take a long time. Keep this in mind when setting the interval. See Domino Policy FAQ for more information.
Before you begin This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 set in the notes.ini file. z The Domino Directory for the domain refreshed from the Domino 9.0 Social Edition pubnames.ntf template. Important While no specific mail settings are required for the OpenSocial component for iNotes, a mail settings document must exist in any policy that is configured for the Domino OpenSocial component to ensure that certain profile notes are populated as part of mail processing for the administration process. Procedure 1. In the Desktop policy settings document, click Widgets. 2. In the Widget catalog application name field, enter the widget catalog application name. 3. In the Widget catalog server field, enter the name of the server on which the Widget Catalog application resides. 4. In the Gadget Server URL field, enter the URL for the Domino server running Shindig. Use the format http://server name:port/fiesta . For example, enter http://shindig.renovations.com:80/fiesta 5. Specify any of the other following settings for widgets, all supported for iNotes clients: z Widget catalog categories to install z Show the My Widgets panel in the sidebar z Enable Live Text z Enable default recognizers z Restrict provider IDs for installation/execution and Enable provider IDs for installation/execution z Restrict extension point IDs for installation/execution and Enable extension point IDs for installation/execution z Install widgets from catalog 6. Save the Desktop settings document 7. In the Security policy settings document, click Proxies. 8. Click Edit list.
64
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
9. Complete these fields: z In the Context field, enter /xsp/proxy/BasicProxy/ z In the URL field, enter the URL to the server that runs Shindig. This value should match the URL provided in the Gadget Server URL field on the Widgets tab of the Desktop policy settings document. z In the Actions field, enter GET,POST z In the Cookies field, enter DomAuthSessId,LtpaToken,LtpaToken2 z In the Mime-types field, enter * z In the Headers field, enter * 10. Click Add/Modify Value. 11. Click OK. 12. Save the Security settings document. Understanding and configuring locked domains Domain locking is a security feature that isolates and protects OpenSocial widgets from third-party sources that might try to cause harm to other widgets, the browser, or your application. Locked domains are essential for products such as Domino 9.0 Social Edition and iNotes 9.0 Social Edition that allow users to add or render widgets from third-party sources. Malicious content can often try to take advantage of a user's authenticated session to extract server data, modify other widgets on the page, or attack web services that have been authenticated and authorized through Open Authorization (OAuth). Locked domains prevent these security risks by sandboxing widgets into individual subdomains that cannot be penetrated by third-party sources or other widgets on the page. Locked domains prevent widgets from having direct access to secure information in the browser and in other widgets on the page, including JavaScript and cookies. Even with a proxy, a piece of malicious or hacked JavaScript code that is loaded in the browser without locked domains can gain access to all of a user's single sign-on (SSO) cookies via the window.cookies object. Even though SSO cookies time out after a set expiration time, the malicious code can still obtain blanket access to the enterprise for a given interval of time. Therefore, in iNotes 9.0 Social Edition, it is strongly recommended that you configure locked domains and never disable them.
65
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
A locked domain implementation consists of three separate domains: z A single sign-on (SSO) domain. z An unlocked container domain for your host application, that is, iNotes. This unlocked domain can be part of the SSO domain, but ideally the two domains should be separate so that cookies such as SSO tokens are not unintentionally carried along with content requests. z Locked hosts that are derived specifically for each widget. Widgets run in individual subdomains of the locked host to prevent widgets from sharing data among themselves. The unlocked domain handles initial calls such as proxy requests and has a specific host name, for example unlocked.renovations.com. The locked host name used for widgets is derived by computing a hash of the widget URLs and pre-pending that hash to a locked domain name suffix such as -locked.gadgets.com. The locked domain suffix must be a separate top-level domain (TLD) that is separate from the container (host application) and SSO domains. Note When selecting the unlocked host and locked domain suffix, consider the domain scope of authentication cookies that might be used. Ideally, widgets should not have access to the authentication cookies. To re-associate Open Authorization (OAuth) tokens with the locked gadget, the container uses an encrypted string called the security token. Similar to SSO tokens such as Lightweight Third-Party Authentication (LTPA), the security token has a relatively short life span to ensure that access is not granted indefinitely if a widget is hacked. SSO tokens do not flow directly to the widget, even if the security token is compromised, so the widget can only access resources that it is authorized to access via the proxy.
66
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
For details about setting up the wildcard DNS server, see the following resources: http://www.zytrax.com/books/dns/ch9/subdomain.html http://www.debian-administration.org/articles/358
Configuring the OpenSocial component for Notes clients You can configure the OpenSocial component to support Notes clients using a managed account and policy settings. You must also configure session authentication.
67
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
6. Click Advanced, and complete these fields. Note None of these options should be set to Editable. z Authentication Type : DOMINO-SSO z Enforce SSL: Yes z Enforce trusted sites : Yes 7. On the Advanced tab, click Edit list, and then enter PreferredUsernameField=fullname 8. Save the account document.
Configuring a Desktop settings policy document You can use an existing policy or create new policy and settings documents for OpenSocial component users. The policy can overlap and share the same settings documents as those used by iNotes SE Configuration.
This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 in the notes.ini file. z The Domino Directory for the domain refreshed from the 9.0 Social Edition pubnames.ntf template
Procedure
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Create a Desktop settings policy document or modify an existing document. Click Widgets. In the Widget catalog application name field, enter the widget catalog application name. In the Widget catalog server field, enter the name of the server on which the widget catalog application resides. In the Gadget Server URL field, enter the URL for the Domino server running Shindig. Use the format http://server name:port/fiesta . For example, enter http://shindig.renovations.com:80/fiesta Click the Custom Settings tab. Add ENABLE_EE=1 and $ENABLE_EE=1 to the list of notes.ini settings. Click the Accounts tab. Click Update Links. In the Accounts dialog box, select Selected supported . Click OK. In the Select accounts to push dialog box, select the account created above in the Configuring a managed account procedure. Click OK. The account appears in the Account Links section. Save the Desktop settings document
This task requires: z A Domino 9.0 Social Edition Administrator client with $ENABLE_EE=1 and ENABLE_EE=1 in the notes.ini file. 1. On the Domino server running Shindig, create a new Security settings policy document or modify an existing one. 2. Select the Execution Control List tab. 3. Click Edit. (Next to Admin ECL) 4. In the ECL list section, specify an administrator who approves widgets. Tip The ECL does not support use of a group such as LocalDomainWidgetCatalogAdmins. You can try using a shared administration ID. 5. Ensure that Ability to configure widget capabilities is enabled for the administrator or group of administrators.
68
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Approving a widget created from an OpenSocial gadget Any time after a client user has added a widget to the catalog, the Domino administrator must follow an approval process to review, approve, and make the widget available as an embedded experience to client users. OpenSocial gadgets that provide client users with embedded experiences in Domino 9.0 Social Edition must be approved like any other widgets, but require some additional configuration. Note An OpenSocial gadget configured in a widget document in Domino is referred to as an OpenSocial widget.
Overview
During the approval process, you will configure: z Proxy settings - required z OAuth client consumer information (keys and secrets) - required only if a gadget needs them z IP filter(s) - optional z Metadata - optional The process completes when you sign the approval document, After approval, you must also establish trust for an OpenSocial widget.
69
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The administrator initiates the approval process for an OpenSocial gadget from a widget document in the widget catalog. When the approval process is complete, the administrator can return to the widget document, and select Edit Proxy Data to adjust the configured proxy, OAuth, or other settings as needed. On the Notes client, OpenSocial widgets are rendered from a local gadget server using the proxy settings defined in the widget catalog application that is replicated to the Notes client. iNotes users can open widgets from the Domino server running Shindig. This Domino server uses proxy rules (settings) contained within the credential store. Proxy settings configured using the widget catalog application are pushed by the PushProxy agent to the credential store. OAuth-enabled widgets are always rendered on a Domino server running Shindig; never from the gadget server on the Notes client. At runtime, the URL contained in the request made by a gadget is compared against each of the URLs listed as proxies for the OpenSocial widget. When a match is found, the specified actions, headers, cookies, and MIME type restrictions are applied to the request.
About IP filters
The IP Filters consist of Allow and Deny Filters. The Deny filters are applied to the address, then the Allow filters are applied. The typical pattern for Allow filters is to deny a wide range of addresses, and then to allow only a specific server. There is no benefit to defining Allow filters without defining a Deny filter.
If an OpenSocial widget requests OAuth-enabled services, during the approval process the administrator can use a Configure OAuth Consumer Information dialog box to specify values appropriate to the type of OAuth service the gadget is requesting. The fields in the dialog box differ according to whether the widget is requesting OAuth 1.0a or OAuth 2.0 authentication flows. You can complete fields in this document with information received from the OAuth provider. If all of the OAuth information is not immediately available, save the dialog box with the information you have. You can modify the information later by selecting the Edit OAuth Data action from the widget document. The Consumer Key and Secret are stored as encrypted items in the Consumer Key document in the credential store. When editing the widget document, the original values cannot be retrieved for display. If the widget document is saved without entering additional content in those fields, the original values are used. If new content is entered in those fields, the new content is encrypted and stored back in the Consumer Key document.
The administrator must have appropriate access to the widget catalog application, including being part of the [Admins] role, in order to approve widgets. Tip You can see which widgets have been reviewed and approved in the Administration > All Widgets by Approval view.
70
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Procedure
1. In the widget catalog application, select the Administration > Configuration view. 2. Edit the widget document for the OpenSocial gadget that needs to be approved. Note The widget approval status shown in the widget document is Review Needed. 3. Click Review. A new Security section in the widget document is populated. Note The widget approval status shown in the widget document becomes Approval Needed. 4. If there is security data to approve, review the information. 5. If the widget should be approved, click Approve. The Configure Proxy dialog box opens. Note The Gadget URL field value is pre-filled from information in the extension.xml file in the widget document. 6. Complete the proxy settings on both the Gadget Proxy (determines what endpoints an OpenSocial Widget can use with Shindig's proxy) and Content Proxy (specifies data that may be fetched anonymously from OpenSocial widgets) tabs. The fields and details on their settings are listed below this procedure in Table: Fields in the Configure Proxy dialog box - Proxy Settings
section.
Note The Content Proxy settings apply to resources that the gadget requests, such as CSS and JavaScript, as well as any resources retrieved using the gadgets.io.getProxyUrl() OpenSocial API. (Optional) Under IP filter, specify values in the Allow list and Deny list fields as needed. Represent filter values as IPv4 addresses: z Fully qualified domain name, no wildcards. z IP address and subnet mask, 9.6.1.0/255.255.0.0, no wildcards are permitted. Both sides of the subnet must be valid ip(v4) addresses. z IP address with wildcards for specific address components only, for example, 9.6.*.*, but * by itself is not permitted. When you have specified all initial proxy settings (you can modify them later), click OK in the Configure Proxy dialog box. If the OpenSocial gadget uses OAuth, a version of the Configure OAuth Consumer Information dialog box specific to the gadget's release of OAuth opens. For information on the fields and details on their settings, see the Table: Fields in the Configure OAuth Consumer Information dialog box below this procedure. Note It is strongly recommended that you use secure https URLs in any fields where you enter URLs. When you have specified any necessary OAuth settings (you can modify them later), click OK in the Configure OAuth Consumer Information dialog box. Sign and save the widget document., Note The approval status in the widget document becomes Approved.
7.
8. 9.
10. 11.
71
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table: Fields in the Configure Proxy dialog box - Proxy Settings section
Field URL Note This value is required Description The URL pattern for the proxy. The URL can include the wildcard character *, but only in its last path component. For example, the URL may contain http://www.example.com/images/*. However, http://www.example.com/*/images is not valid. For example, this URL http://www.example.com/foobar/test/* is valid and matches http://www.example.com/foobar/test/test.jsp, or http://www.example.com/foobar/test/someOtherstuff. A proxy URL such as http://www.example.com/foobar/test* is not the same, and is not likely to match any target URLs. The URL may contain only the wildcard character. At runtime, the URL contained in the request made by the gadget is compared against each of the different proxy URLs for the gadget. When a match is found, the Actions, Headers, Cookies, and MIME type restrictions are applied to the request. Select one or more of these actions: GET, POST, PUT, DELETE, HEAD. Any action entered here is permitted for any request matching the URL. By default, no actions are permitted. Defines the headers that can to be added to a request made from the gadget server. Headers are values sent by a request to a server indicating how the request should be treated and how the response should be returned. The HTTP specification defines a number of headers as a standard. Applications can add additional headers to the request. A gadget's request can include additional headers to be set. However, if those additional headers are not permitted by the proxy setting, then the headers are not allowed. If a request depends on additional headers, those headers must be defined. Use commas to separate individual entries in a list of headers. Follow the Internet specification for header names. Header names may contain a wildcard character (*) to match parts of names. For example, if the header name is MyH*, then both MyHeader and MyHome are permitted. If nothing is specified, the default set of headers containing Cache-Control, Pragma, User-Agent, Accept*, Content* is used. If an additional header is required, the header list must contain the desired default headers, as well as the required additional header. For example, to add client_secret to the list of headers, the field would contain Cache-Control, Pragma, User-Agent, Accept*, Content*,client_secret. If the wildcard * is specified, all headers are permitted. To prevent any headers from being sent, add a single header name to the field, and do not include any default headers. For example, specify No_Headers to prevent all headers from being sent. Note The Set-Cookie header is handled separately using the Cookies field, and should not be specified in the Headers field. Cookies are informational elements that transfer data between client and server. Gadget requests may contain cookie values that they desire to set. The Cookies field defines the set of cookies allowed to be passed through the server. Use commas to separate multiple cookie names. Specify the full cookie name. No wildcard characters are permitted. Set limitations on the request/response style specified with this field. Use commas to separate multiple values. The wildcard character (*) is permitted in the MIME types. An empty value, or a value of * permits all MIME types to be used.
Cookies
MIME types
72
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table: Fields in the Configure OAuth Consumer Information dialog box (1.0A)
Field Application Id Service Name OAuth Request Token URI Description URL to the OpenSocial widget's XML file. Domino supplies the value in this field. Domino supplies the value in this field. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. The signature style used when generating requests to a specific resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
*Consumer Key**
*Signature Method
*Consumer Secret**
73
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table: Fields in the Configure OAuth Consumer Information dialog box (2.0)
Field Application Id Service Name AllowModuleOverrides Description URL to the OpenSocial widget's XML file. Domino supplies the value in this field. Domino supplies the value in this field. True (default) or False Indicates whether or not URLs specified in the widget XML can be used. A value of true allows widget XML URLs to be used. A value of false will use only the URLs supplied from the database document. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Domino supplies the value in this field if the value is available in the XML file. The value is specific to the OAuth service in use. If the field does not contain a value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. Part of the identification information used for authenticating the server with the resource provider. This value is obtained by means of a registration process with the resource provider. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
*Consumer Key**
*Consumer Secret**
74
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Field UseAuthorizationHeader
Description True (default) or False Indicates whether or not to include OAuth2 protocol content items as headers. At least one of the fields UseAuthorizationHeader or UseUrlParameter should be set to true. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. False (default) or True Indicates whether or not to include OAuth2 protocol content items as URL parameters. At least one of the fields UseAuthorizationHeader or UseUrlParameter should be set to true. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget. False (default) or True Indicates whether or not an access token from a resource provider that matches the service name and consumer key can be used for multiple gadgets. To determine this value, check with the original provider of the gadget that was used to create the OpenSocial widget.
UseUrlParameter
SharedTokens
What to do next
Unless the widget is meant for use only by iNotes client users, follow the procedure below: Verifying
component for Notes clients > Configuring a Security settings policy document to establish trust.
Verifying widget trust for Notes client users If an approved OpenSocial widget will be used by Notes client users, those users must have trust established for the signer of the widget. You establish this trust by including any administrators who approve (sign) widgets in the ECL specified in a Security settings policy on the Domino server running Shindig. Make sure that you have followed the procedure above under Configuring the OpenSocial You can verify that the correct ECL settings are being applied by logging into Notes as a (test) user for whom you are planning to render an embedded experience.
Procedure
1. 2. 3. 4.
Open the Notes client (Notes 9.0 Social Edition) as the test user. Select File > Security > User Security and enter the user's password. Select What Others Can Do > Using Workstation. Under When code is signed by , check for the name(s) of administrators whom you specified in the ECL in the Security settings policy are in the list, and make sure that the check box Configure widget capabilities is enabled for any such administrator. Note This Configure widget capabilities check box appears if the following setting is specified in the client user's note.ini file: $ENABLE_EE=1
75
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Editing an approved widget Any changes made to the widget document, for example, changing platform, description, or title, result in the document's no longer being approved. When you make changes to the widget document, you need to re-approve the document. In addition, edited proxy settings will not be applied for Notes client users until the widget catalog application replicates. Modifying proxy settings after approval The Configure Proxy dialog box displays the OpenSocial widget with which proxy settings are associated. The right side of the page displays a list of the defined proxies for the widget.
If changes are required to the proxy settings, open the widget document, then select Edit Proxy Data to review and update the proxy settings. These procedures work regardless of whether the proxy settings are listed on the Gadget Proxy or Content Proxy tab.
1. Specify the URL, Actions, Headers, Cookies, and MIME types. 2. Click Save. Settings are added to the list on the right. If the URL is changed, a new proxy is added to the list using the new URL, and the proxy using the original URL is still listed. Tip Save acts like a Save As.
1. From the list of proxies on the right, select the proxy whose settings you want to edit. 2. Click Edit. The fields are populated with the existing values for the proxy; edit them as desired. 3. Click Save. If the URL is changed, a new proxy is added to the list using the new URL, and the proxy using the original URL is still listed. Tip Save acts like a Save As. 1. From the list , select the proxy whose settings you want to remove. 2. Click Remove.
To remove a proxy
76
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Removing approval for a widget If a widget document is approved and later is not needed, complete these steps: 1. Edit the widget document. 2. Expand the Security Section. 3. Click Remove. The security state reverts to Approval Needed. Modifying OAuth data after approval During the approval process, the approver is prompted to approve the OAuth client consumer information if a gadget includes it. If changes to the OAuth client consumer information are required, open the widget document, and select Edit OAuth Data to review and update the proxy settings in the Configure OAuth Consumer Information dialog box. Troubleshooting
Errors
z
If the gadgets request is completely rejected, for example, if the requested URL is not permitted, then this is typically treated internal to the server as an HTTP response code 403. This may display in different ways depending on the actual request. Proxy-rejected requests that return a 403 response code are cached for the negative cache TTL. The default is 5 minutes, unless the gadget is making a specific refresh interval designation. Even if proxy settings are corrected, the server may still use a previously cached response. To determine the proxy settings used for a request, enable trace at level CONFIG for the logger com.ibm.fiesta.commons.internal.ProxiedHttpFetcher
The trace messages generated by this logger will look as follows: Mapping: http://www.example.com:80//gadgets/testgadget.xml URL: http://www.example.com/commerce/query From this message, you can determine that the gadget making the request is http://www.example.com:80//gadgets/testgadget.xml and the target resource is http://www.example.com/commerce/query. If the target resource is not covered by the policies defined for the gadget, then an update may be required. Two other mappings that may also appear are /anonymous and /Internal. The /anonymous mapping is used for the content proxy requests, and shows the target resource. If the target resource is not being retrieved, then a change to the Content Proxy settings in the Configure Proxy dialog box may be required. The /Internal mapping is used for some requests that the gadget server initiates to performs its tasks. You cannot edit the /Internal mapping.
z
To assist in identifying where a proxy request is being rejected, or where headers or cookies are not being sent with a particular request, enable these loggers at the FINER level to obtain more detail: com.ibm.mashups.proxy.connection.HttpURLConnectionFilter com.ibm.mm.proxy.connection.filter.RequestHeaderValidationFilter com.ibm.mm.proxy.connection.filter.CookieFilter
77
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
OAuth issues
OAuth documents are stored in the credential store on the Domino server. At runtime, any consumer and token documents are cached for increased performance. Changes made to existing OAuth client consumer documents may not take effect until the server is aware of changes. By default, the server checks for updates every 60 minutes. You can modify the interval using the SocialOAuthRefreshInterval setting in the notes.ini file of the Domino server. If an immediate update is needed on the server, you can refresh the OAuth client documents using this Domino console command tell http osgi social refresh oauthconsumers
Proxy metadata
The mashup maker proxy used by the Shindig server may need additional configuration of metadata in some cases. You can configure metadata to specify general proxy configuration properties. Tip For more information on properties, and on forwarding HTTP error codes to the client, see this wiki article:
Advanced configuration
Procedure 1. In the widget catalog application, select the Administration > Configuration view. 2. Select the Configure Meta-data action and apply settings listed in the following tables as needed:
Table: Metadata to configure the proxy to make a connection through a boundary (pass through) proxy and Table: Metadata to control how outbound connections are used.
78
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Table: Metadata to configure the proxy to make a connection through a boundary (pass through) proxy
Metadata setting passthru_host passthru_port passthru_ntlm_domain passthru_realm Description The host name of the pass through proxy. The port of the pass through proxy. The NT LAN Manager (NTLM) Windows domain and user of the boundary proxy in order to authenticate the user against an NTLM domain. Optional. If a user name and password are needed for the proxy, specify the proxy realm so that the credentials are not sent to any proxy. If you do not specify a realm, any realm is accepted and used for the proxy. Optional. The user name for the proxy. Optional. The password for the proxy. Optional. Indicates which hosts should be connected directly and not through the passthru-proxy. The value can be a list of hosts, each separated by a | character. A wildcard character (*) can be used for matching, for example locahost|*.local.
79
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Server NOTES.INI parameters to enable widgets , embedded experiences , live text, and OpenSocial features You can use the following parameters in the NOTES.INI file on the Domino server. These notes.ini file settings are server wide settings, whereas policies are used per user on every server. If you need to disable embedded experience or live text on a server, uses these notes.ini file settings. Note These settings have no effect on the Notes or iNotes client unless the Domino OpenSocial component is installed.
Parameter Acceptable Values 0|1 Default Value 0 Description Set to 1 to enable embedded experiences in iNotes. Set to 1 to enable live text in iNotes. Set to 1 to enable widgets in iNotes. If iNotes_WA_Widgets is disabled, embedded experiences, live text, and OpenSocial are all disabled (regardless of other settings) because widgets is the core of all of those features. iNotes_WA_OpenSocial0|1 0 Set to 1 to enable OpenSocial Widgets in iNotes. If iNotes_WA_OpenSocial is disabled, embedded experiences is disabled (regardless of the embedded experiences setting) because embedded experiences uses OpenSocial widgets.
iNotes_WA_LiveText iNotes_WA_Widgets
0|1
20 1000
80
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Related to gadgets
SocialCapabilitiesReA number > 0 freshInterval 60 Interval in minutes at which to check for updates to gadget capabilities in order to refresh the cached information; 0 or less disables the refresh check. Interval in minutes at which to check for updates to OAuth client information; 0 or fewer disables the refresh check. Interval in minutes at which to check for updates to proxy configuration rules; 0 or fewer disables the refresh check.
60
60
iNotes users accessing their mail are protected from cross-site referral forgeries across a cluster. Notes users can authorize a Domino server application to access their resource data on an OAuth-compliant Web site without additional password prompts.
In addition, you can centrally store OAuth consumer keys and secret information without requiring any insecure distribution of document encryption keys. After you have created the credential store, you use it to store centrally the consumer key and secret that you create whenever you configure a Domino server application to access the Web using the OAuth protocol, as well as the access token generated when Notes or iNotes user authorizes the Domino application for access to his or her data on an OAuth-compliant Web site.
81
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Creating the credential store application on a single Domino server You use Keymgmt commands at the Domino server console to set up the credential store application ( credstore.nsf).
creating the document encryption key in the Domino server's ID file creating the credential store application and assigning the document encryption key to it assigning the document encryption key to the credential store checking whether the store exists and includes the document encryption key
The console commands create the application from the websecuritystore.ntf template. Restriction: Do not use this template to create the database manually.
Procedure
1. At the Domino server console, use the keymgmt create nek command to create the document encryption key in the Domino server ID file. For syntax and examples, see the related topics. 2. Check the server console log and make sure you see the following message: NEK credstorekey created successfully 3. Make note of the displayed fingerprint for the key. 4. Use the keymgmt create credstore command to create the credential store application. and assign the document encryption key. 5. Make sure the displayed fingerprint matches the one you made note of in the previous step. 6. Make sure the Domino server \data directory now has a directory \IBM_CredStore. 7. Make sure credstore.nsf exists in the directory.
82
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Creating the credential store application in a cluster You use Keymgmt commands at the Domino server console to set up the credential store application ( credstore.nsf). When the application is used in a cluster, you also create replicas of it on each server.
creating the document encryption key in the Domino server's ID file exporting the document encryption key and importing it into the ID files of the other servers in the cluster creating the credential store application and assigning the document encryption key to it checking whether the credential store exists and includes the document encryption key creating replicas of the credential store on each server in the cluster
z z z
The console commands create the application from the websecuritystore.ntf template. Restriction: Do not use this template to create the database manually. You perform all of the following steps at the Domino server console, and you can check the key fingerprints displayed either in the console itself or in the server console log.
Procedure
1. At the server console for the first Domino server in the cluster, use the keymgmt create nek command to create the document encryption key in the Domino server ID file. For syntax and examples, see the related topics. 2. Take note of the displayed fingerprint for the key, and make sure you see the message: NEK credstorekey created successfully. 3. Use the keymgmt export nek command to create a local file that contains the key. For syntax and examples, see the related topics. 4. Make sure the displayed fingerprint matches the one you made note of in the previous step, and make sure you see the message: NEK credstorekey exported successfully. 5. Copy the key file to all servers in the cluster. 6. At the console on each of the other servers, use the keymgmt import nek command to import the document encryption key from the file you created into the ID file of each server. For syntax and examples, see the related topics. 7. Make sure the displayed fingerprint matches the one you made note of in the previous steps, and make sure you see the message: NEK credstorekey imported successfully. 8. Back on the original server, use the keymgmt create credstore command to create the credential store application and to assign the document encryption key. For syntax and examples, see the related topics. 9. Make sure the displayed fingerprint matches the one you made note of in the previous steps.
83
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
10. Make sure the Domino server \data directory now has a directory \IBM_CredStore. 11. Make sure credstore.nsf exists in the directory. 12. Create replicas of the credstore.nsf in a \data\IBM_CredStore directory on the rest of the servers in the cluster.
Moving the credential store application When you move or decommission a server that includes a credential store application (credstore.nsf ), be sure to manage the movement of the credential store so that it functions properly after the change. Moving the credential store application requires different steps depending on whether the servers are in a cluster or not, and whether a server is being decommissioned. You perform all of the steps for moving a credential store at the Domino server console, and you can check the key fingerprints displayed either in the console itself or in the server console log. For syntax and examples on the Keymgmt commands, see the related topics.
2. If you are moving a non-clustered server to a new cluster, and the moved server will become the first server in the cluster, follow these steps to move the credential store from the non-clustered server: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the new cluster name, and restart the server.
d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store application with the copied credential store data from the file you created in step 1 3. If you are moving a non-clustered server to an existing cluster that already has a credential store, follow these steps to move the credential store from the non-clustered server: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the name of the existing cluster, and restart the server. d. Use the keymgmt create command to create a new credential store application. e. At another server in the existing cluster, use the keymgmt export and keymgmt import commands to examine the document encryption key in the server ID file. f. On the server you are moving, create a replica of the credential store application from the
84
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
server where you confirmed the server ID file contains the correct document encryption key. g. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1. 4. If you are moving a server that already has a credential store out of a cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to remove the server from the cluster, and restart the server. d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1. 5. If you are moving a clustered server to a new cluster, and the moved server will become the first server in the new cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to specify the new cluster name, and restart the server.
d. Use the keymgmt create command to create a new credential store application. e. Use the keymgmt import command to populate the new credential store application with the copied credential store data from the file you created in step 1 6. If you are moving a clustered server to a different existing cluster, follow these steps to move the credential store: a. Use the keymgmt export command to copy the credential store data to a file. b. Rename the credstore.nsf file. c. Change the server document to remove the server from its original cluster, and restart the server. d. On the server you are moving, create a replica of the credential store application from another server in the target cluster where you have confirmed the server ID file contains the correct document encryption key. e. Use the keymgmt import command to populate the new credential store replica with the copied credential store data from the file you created in step 1.
85
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Procedure
1. Use the keymgmt export command to copy the credential store data to a file. 2. If the server to which you are moving the credential store application (the target) is not clustered, use the keymgmt create command on the target server to create a new credential store application. 3. Use the keymgmt import command to populate the credential store application on the target server with the copied credential store data from the file you created in step 1.
List of server commands and syntax This list briefly describes the IBM Domino server commands that are available. Keymgmt Create Creates a credential store application (credstore.nsf) and uses it to store the document encryption key for Web authentication using the OAuth protocol. Keymgmt Export Exports a copy of an existing credential store application (credstore.nsf). Keymgmt Import Imports documents from a credential store application file and adds them to the existing credstore.nsf on a Domino server.
Keymgmt Create
Creates a credential store application (credstore.nsf) and uses it to store the document encryption key for Web authentication using the OAuth protocol. Details This command creates the credential store application credstore.nsf in the directory data\IBM_CredStore on the Domino server. Then Domino checks the Domino server ID file to ensure that the document encryption key specified by the Keymgmt command exists. If the key exists, Domino creates a document in the Credential Store database specifying the name and fingerprint of the document encryption key, and whether the credential store application is only to be used on the same server, or within a cluster. Restriction In the current release, there can be only one credential store on a non-clustered server, or one per cluster if your organization uses clusters, and the credential store application name must be named credstore.nsf.
86
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Tip The command uses the abbreviation nek for "named encryption key," which is another term for the document encryption key. Syntax KEYMGMT CREATE nek nekname KEYMGMT CREATE credstore nekname Examples To create a document encryption key called credstorekey, to be used to secure a credential store, enter: KEYMGMT CREATE nek credstorekey To create the credential store using a document encryption key called credstorekey, enter: KEYMGMT CREATE credstore credstorekey
Keymgmt Export
Exports a copy of an existing credential store application (credstore.nsf). Details This command creates a credential store application file called filename in the directory data\IBM_CredStore on the Domino server specified in the command by servername. Then Domino creates a copy of every document in the original credstore.nsf and stores it in the new application file. The filename is relative to the directory from which you launched the Domino server. If the file does not already have the extension .key, Domino adds it. Note: If any document being copied has an encrypted bulk key, the document is decrypted and re-encrypted with the public key of the Domino server specified in the command by servername. Syntax KEYMGMT EXPORT credstore filename servername Examples To export the credential store to a database called credstore_renovations.nsf on the server renovations_sales, enter: KEYMGMT EXPORT credstore credstore_renovations.nsf renovations_sales
87
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Keymgmt Import
Imports documents from a credential store application file and adds them to the existing credstore.nsf on a Domino server. Details This command copies all documents from a credential store application called filename. The filename is relative to the directory from which you launched the Domino server. Then Domino adds the documents to the existing credstore.nsf in the directory data\IBM_CredStore on the Domino server where you issue the command. Note: If any document being copied has an encrypted bulk key, the document is decrypted with the private key of the Domino server where you issue the command, and re-encrypted with the document encryption key specified in the credstore.nsf already existing on the same server. Syntax KEYMGMT IMPORT credstore filename Examples To import documents from a credential store application called credstore_renovations.nsf, enter: KEYMGMT CREATE credstore credstore_renovations.nsf
Electronic signatures
No Domino configuration is required to make use of SHA-2. When Notes client users receive S/MIME messages encrypted using the algorithm, SHA-2 is listed in the Document Encryption and Signing Properties box that a client user can open by clicking the Signature or Encryption icon in the Notes client status bar. Tip It is recommended that the Domino administrator use RSA-2048 and AES-128 with SHA-2. To do so, set all client user's ID files to use 2048-bit RSA keys, and configure all Person documents with the setting Can decrypt documents using FIPS 140-2 approved algorithms in order to ensure AES-128. For more information, see the Information center topic on configuring AES encryption
88
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
AUTO_SORT_DATE=11 or 12 - Enables the preference Automatically sort date columns (takes effect after reopening mail tab ). A value of 11 enables the option Most recent on top (the default) and 12 enables Most recent on bottom.
TypeaheadShowServerFirst=1 - When users affected by the policy see a typeahead list, the server lists server results first, and then a Search Local Directory for name option. Tip This NOTES.INI setting also works in Notes/Domino release 8.5.3.
Widgets changes
The Widgets tab in the desktop policy settings document provides additional How To Apply settings These settings now make available a drop-down list of all How To Apply settings: z Widget catalog categories to install z Enable Live Text These settings continue to provide a drop-down list of all How To Apply settings: z Widget catalog server z Widget catalog application name z Show the My Widgets panel in the sidebar
89
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The remaining settings have the new Don't set value How To Apply option.
Widgets in iNotes In this beta release of IBM iNotes 9.0 Social Edition, the widgets feature in the Outline view of the Domino Administrator client is no longer supported. The My Widgets sidebar has replaced widgets in the Outline view. Widgets that were installed into the Widgets folder in the Outline view will not be migrated to the My Widgets sidebar panel. You will need to reinstall those widgets into the My Widgets sidebar panel. The IBM iNotes > Configuration tab on the Mail policy settings document contains a Widget Settings section. That section of the policy document is marked as "Obsolete as of Domino 9.0." The two settings in that section apply to widgets in the Outline view, which is no longer supported. Those settings do not apply to the My Widgets sidebar.
90
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
For support of Notes or iNotes client users, the administrator of the widget catalog on the Domino 9.0 Social Edition server can use the Platform field in widget catalog documents to control which widgets in a category of widget are deployed to client users of this release and of earlier releases of Lotus Notes and Lotus iNotes. This feature is enabled by default on iNotes clients. For Notes clients, you need to enable a preference to use this feature. If a desktop settings policy is set up to push a widget catalog server, widget catalog application name, and widget categories to install to the users of the policy, the Platform field determines whether the widgets in the category should be installed on the specific client and release. Important OpenSocial widgets should be installed only on Notes 9.0 Social Edition or iNotes 9.0 Social Edition or later clients. To install such widgets properly, set the Platform field to IBM Notes 9.0 and, if you have iNotes client users, IBM iNotes 9.0. Notes Preferences Use the preferences described in this section to customize how this filtering works on Notes clients:
Preference 1: com.ibm.rcp.toolbox.admin/filterByWidgetPlatform The default value of this preference is 'false'. When set to false, no filtering is done and all widgets in the configured categories are installed during category installation of widgets. When set to true, widgets are filtered during category installation of widgets. Preference 2: com.ibm.rcp.toolbox.admin/currentNotesPlatform The default value of this preference in Notes 9.0 Social Edition is the release number indicator N90. N90 maps to the Platform field value of "IBM Notes 9.0" in widget documents.
Use this preference to define the current platform release. During category install of widgets. the currentNotesPlatform value is compared to the release number indicators listed in the Platform field entries in widget documents. The release number indicators in the widget catalog are: N801 for IBM Lotus Notes 8.0.1 N802 for IBM Lotus Notes 8.0.2 N85 for IBM Lotus Notes 8.5 N851 for IBM Lotus Notes 8.5.1 N852 for IBM Lotus Notes 8.5.2 N853 for IBM Lotus Notes 8.5.3 N90 for IBM Notes 9.0. See the 'strictWidgetFilter' preference for more information on how filtering is done. If you change the currentNotesPlatform parameter from its default value, you should use the syntax of N <release> , for example, N90FP1. In the widget catalog, you would then add your own custom platform value in your widgets using the same syntax: N90FP1. This will allow you to deploy widgets to specific fixpack installations.
Preference 3: com.ibm.rcp.toolbox.admin/strictWidgetFilter
The default value of this preference is 'true'.
91
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
When set to true, and the filterByWidgetPlatform parameter is enabled, during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the currentNotesPlatform value, the widget is installed z If the Platform field list is empty, indicating all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the currentNotesPlatform value, then the widget is not installed and a warning message is logged If this preference is set to true and filterByWidgetPlatform is enabled, during drag-and-drop installation of a widget, the following occurs: z If the Platform field list of the widget has at least one release in it and the list does not contain the currentNotesPlatform value, the widget is installed, but a warning message is logged If this preference is set to false and filterByWidgetPlatform is enabled, during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the currentNotesPlatform value or any value indicating a previous release of Lotus Notes, the widget is installed z If the Platform field list is empty, indicating all platforms, the widget is installed z If the Platform field list of the widget has at least one value in it and the list does not contain the currentNotesPlatform value or any value specifying a previous Lotus Notes release, then the widget is not installed and a warning message is logged If this preference is set to false and filterByWidgetPlatform is enabled, during drag-and-drop installation of a widget, the following action occurs: z If the Platform field list of the widget has at least one value in it and the list does not contain the currentNotesPlatform value or any value specifying a previous Lotus Notes release, the widget is installed, but a warning message is logged iNotes settings A new NOTES.INI parameter in the NOTES.INI file on the Domino 9.0 Social Edition server running iNotes controls whether the filtering of widgets during category installation is strict or not strict: iNotes_WA_strictWidgetFilter The default value is "1" which enables strict filtering. You can change the value to "0" to disable strict filtering. When the parameter is set to "1", during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the indicator for the current iNotes release (IBM iNotes 9.0) value, the widget is installed z If the Platform field list is empty, which indicates all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0), then the widget is not installed and a warning message is logged When this preference is set to "1", during drag-and-drop installation of a widget, the following occurs: z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0), the widget is installed, but a warning message is logged
92
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
When this preference is set to "0", during category installation of widgets, one of these actions occurs: z If the Platform field list of the widget contains the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, the widget is installed z If the Platform field list is empty, which designates all releases, the widget is installed z If the Platform field list of the widget has at least one release in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, then the widget is not installed and a warning message is logged When this preference is set to "0", during drag and drop installation of a widget, the following action occurs: z If the Platform field list of the widget has at least one platform in it and the list does not contain the indicator for the current iNotes release (IBM iNotes 9.0) or an indicator for any previous release of Lotus iNotes, the widget is installed, but a warning message is logged
In this beta release, you can take advantage of a new tool for performing multiple daily/weekly administrative tasks on user's mail database files. The dbmt tool does all of the following: z runs copy-style compact operations z purges deletion stubs z expires soft deleted entries z updates views z reorganizes folders z merges full-text indexes z updates unread lists z ensures that critical views are created for failover Important: When you run this tool, you no longer need to run updall; do not run them both. See the procedure below for details. Command line options z -compactThreads configures the number of threads for performed the database compact operations. Default is 1 thread. If 0 is specified, no compact operations are performed. Base the value selected on the number of disks backing the data directory. -updallThreads configures the number of threads for doing the updall operations. Default z is 1; 0 is not allowed. Base the value selected on the number of disks backing the data directory. -ftiThreads configures the number of threads for rebuilding of the full text indexes. Default is z 1; 0 is not allowed. -timeLimit tl new name for compact -x. Restricts the compact time to tl minutes (for z all compacts). This option does not apply to updall. It is assumed a program document is used to run the dbmt tool every day. After all processing for all threads has completed, dbmt exits. z -range <starttime > <stoptime > - This option assumes that a program document is run only on server startup for the dbmt tool. The dbmt tool sleeps until starttime and performs compact operations until stoptime (or all databases have been processed), at which point the dbmt tool sleeps until starttime). -compactNdays n This option tries to compact all non-system databases every n days. z z -ftiNdays n Rebuilds full text indexes every n days. Default is to rebuild them only when they are corrupt. -force <d > - Selects the day of week to perform fixup on databases that may be having z issues compacting. If d is 0 (zero), the fixup operation will run any day. Fixup is run only when 5 or more consecutive compact operations fail (and the failure is not due to database in use). The value of d is between 0 and 7 where 1 is Sunday, 2 is Monday, and so on. -stoptime <st > - This option assumes that a program document is used to start the dbmt tool z every day. The <st> value specifies at what point compacts should complete. After all processing is complete for all threads, dbmt exits.
93
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
System databases The dbmt tool does not compact system databases. The tool uses a specific list of databases, as follows, for this exception: names.nsf z z log.nsf z admin4.nsf z ddm.nsf z lndfr.nsf z events4.nsf z statrep.nsf z dbdirman.nsf z dircat.nsf z clubusy.nsf z domlog.nsf z cldbdir.nsf z busytime.nsf z catalog.nsf z daoscat.nsf Note If your organization has additional system databases (such as other Domino Directory databases with a file name other than names.nsf), specify them in a notes.ini variable as described in the procedure below. Running the database maintenance tool from a Program document 1. Edit the notes.ini file on the server that contains the mail files and make all the following changes:
z z
Remove nUpdall from the ServerTasksAt2 parameter. Set MailFileDisableCompactAbort=1 Note This parameter prevents the router from interrupting the compact operations by delivering mail; delivery restarts after the compact operations complete.
Add any additional system databases to the notes.ini variable DBMT_FILTER. Separate entries in the list either by a space ' ', a comma ',' or a semi-colon ';'. The names are case-insensitive and are relative to the data directory. For example, if the data directory is d:\notefile and the database in the root of the data directory is log.nsf, you would enter DBMT_FILTER=log.nsf
2. Create a Program document that specifies the dbmt tool runs once at server startup with parameters shown below. 3. Specify the command in the Program document with at least the following options: -compactThreads n -updallThreads n -compactNdays n -force d -range starttime stoptime
For example, the following set of parameters specifies 8 threads (based on disk drives backing the notes data directory) for both the compact and updall tasks, a window between 2:00 AM and 5:00 AM in which to run the tool, 5 days to wait before compacting non-system databases, and Sunday as the day to perform fixup on databases that cannot be compacted. -compactThreads 8 -updallThreads 8 -range 2:00AM 7:00AM -compactNdays 5 -force 1
94
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Running the database maintenance tool from the server console When running dbmt from the command line on IBM AIX, Linux, or UNIX, use this format: dbmt <filename> When running compact from the command line on Microsoft Windows, use this format: ndbmt <filename>
New option for Updall Updall performs the following tasks by default. These are also tasks that the database maintenance tools performs: z purges deletion stubs z expires soft deleted entries z updates unread lists Because the database maintenance tool is meant to replace (and improve upon) running updall nightly, you can use the following new option for updall to skip the tasks above, making updall faster when you run it for any one-time purpose. -nodbmt When you run updall as part of dbmt, Domino also ensures that the following views are built for databases with a template name of StdR85Mail: z $Inbox z $Drafts z $All z ($RepeatLookup) z ($ToDo) z ($Calendar) z ($Haiku_TOC) z ($Alarms) z ($iNotes) z ($Users) z ($iNotes_Contacts) z ($ThreadsEmbeded) After these views are built, they will not be discarded due to non-use. You can also build additional views for StdR85Mail templates or other templates by specifying NOTES.INI variables using the following format: dbmt_template name =view_name_or_alias ;view_name_or_alias;view_name_or_alias Substitute the template name after the underscore, and separate the view or alias names with either semicolons or commas. For example: dbmt_stdr85mail=($sent),stationery;by category
95
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
You can make file sharing easier for IBM iNotes users by specifying mail policy settings that save network resources and improve efficiency by integrating iNotes with IBM Connections files. As an alternative to sending attachments, users can insert links to files that have been uploaded to Connections. Where possible, the files that are being linked to are shared with the recipients at send time. Users can upload received attachments to Connections Files and then remove the attachment from the email and replace it with a link to the newly uploaded file to save space it their mail file. Connections 3.6 and more recent versions are supported for integration with iNotes. 1. Configure Connections for your environment. 2. Set up SSO between the Connections server and the IBM Domino server. SSO is not required but it allows users to log in to iNotes and Connections with one logon. 3. Configure the Connections server to display email addresses. If you specify notes.ini file settings that correspond to the settings on the mail policy settings document, Connection Files Integration section, the mail policy settings are overridden by the corresponding notes.ini file settings. 1. From the mail policy settings document, click IBM iNotes, and then click Configuration. 2. In the Connection Files Integration section, in the Allow Files Integration field, accept the default setting of Enable. 3. In the URL to Connections Files service field, enter the URL for the Connection Files service. Note: This URL must point to the URL of just the Files service, not the overall Connections installation. For example, enter http://mycompany.com/connections/files Note: Change the default settings in steps 4- 6 only if necessary. 4. In the Enable sharing linked files in mail field, accept the default of True. Linked files are automatically shared with the email recipients. When this setting is False, the sender must manually share the linked files in Connections with the recipients; however, it will reduce the load on the Connections server when all recipients do not need access to the file. 5. In Maximum group size for sharing linked files field, enter the maximum group size for sharing linked files. By default, linked files are only shared with groups of 100 or fewer members. Sharing linked files with large groups of recipients is inefficient. In the case of a large group, it is better to put the file in a Community or to put in a folder with shared access. Note: This limit only applies to private groups if the delivery option is set to Do not expand personal groups and that group has not been expanded earlier in the session. 6. In the When replying to an email containing links to Files , only share linked files in the newly added part of the thread field, accept the default of False. Changing the setting to True, reduces the load on the Connections server for long email threads. However, if a user replies to a thread containing a link to a file in Connections Files and adds a new recipient to the thread, the new recipient is not given access to the file. This setting only applies to email being replied to, not forwarded, since it is likely that the file has already been shared with recipients earlier in the thread. For forwarded email, there are new recipients who are less likely to have access to the file. 7. Complete the procedure Designating the proxy settings in the security policy settings document. 8. If any of the URLs specified in step 7 use SSL with a self-signed certificate, import them into the Domino Directory and cross-certify them so that they are trusted.
96
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Designating the proxy settings in the security policy settings document 1. From the security policy settings document, click Proxies. In the Add white list rule for proxy servlets field, click Edit List. The White list rule to add or modify fields display. 2. In the Context field, enter /xsp/proxy/LcFilesProxy/ 3. In the Actions field, enter HEAD, GET, POST, PUT. Note: By default, PUT is not enabled on the Domino server. If Internet configurations are being loaded from Server or Internet Sites documents, enable PUT from within the Allowed Methods section of the Configuration tab of the Internet site document. If you are not using Internet Sites documents, then enter this NOTES.INI file setting: HTTPEnableMethods=PUT 4. In the Headers field, enter * (an asterisk). 5. In the MIME Types field, enter * (an asterisk). 6. In the Cookies field, if you are using SSO, be sure to include either LtpaToken or LtpaToken2. If you are not using SSO, do not enter anything. 7. Click Add/Modify Value. The Context and URL values are added to the Add these white-list rules for proxy servlets field. Click OK. 8. If you are not using SSO, repeat steps 2 - 8 using the same Connections URL but with https instead of http for use with the Connections login dialog. The easiest way to repeat these steps is to click Add/Modify Value and modify the URL you just added. Modifying the URL creates a new rule but does not change the existing rule. 9. Click Save and Close.
97
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Notes Client
Purpose of the early drop
Before installing this beta client , it is recommended to first uninstall your existing Notes client . The client team is looking for feedback on specific aspects of the Notes product for each beta release. As a result, areas of the product may not have undergone the extensive testing that normally takes place with releasing a milestone. We don't recommend that you use the early builds for anything other than testing the focus areas for a given drop, as these focus areas have undergone more extensive testing. If you find any problems with any of the focus areas, please report those issues in the forum.
Focus features
As an early beta partner using these features, what we need from you is feedback on (1) the usability of the features, (2) the user interface, and (3) the following write-ups, which will become part of a Technote or wiki article.
Mail features
See messages in your Inbox grouped by date From your Inbox, select Show > By Date to see your Inbox grouped into messages from Today, Yesterday, Last week, etc:
98
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Abbreviated dates The Mail views now show abbreviated, simplified dates according to the following changes:
z z z z z
If the date falls on the current day, then the date column will only show the time, for example: "4:50 PM" Yesterday's date will have "Yesterday" plus the time If the date falls on a prior day within the past year, then the month and day will be shown with the time, for example: "May 12 3:50 PM" If the date falls on a day in a previous year, then the traditional date/time is show, for example "5/12/2011 3:15 PM" If, for some reason, there is a future date in the Mail view, due to OS settings, it will be displayed the way that the "May 12 3:50 PM" example is shown above.
Abbreviated dates can be over-ridden by the end user. For mail views, the "Use abbreviated dates" checkbox will be checked default; users can uncheck it to override this behavior. For other views, "Use abbreviated dates" will be unchecked by default.
99
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
For Administrators
For mail views, abbreviated dates is now the default. This is done through Designer to make it the default in the mail template, with a new choice for "Abbreviated". Mail views here include all views in Mail including: chat history, followup, etc. Folders will inherit this change if the update is done on folders. This would be available as a choice for all core Notes views having a date column, but will not be turned on by default.
Note: You will not see this check box unless you have the current beta release installed. Also, any modifications made by an older Designer client will clear out this option when the view/folder is saved. Message "snippets" are available in Inbox view Preview message text in your Inbox view. From the Inbox, select Show > Beginning of Message to display message body text. Hover over messages in your Inbox to see the first 100 characters. New action bar button for "Read/Unread" mail A new action bar button in the Inbox allows you to mark messages Read or Unread, instead of using the Edit > Unread marks menu.
100
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Image preview for attachments You will now see a thumbnail preview of attachment images when reading MIME email. You will also see this preview when creating image attachments in the rich text editor.
Calendar features
Scroll through One Month view in Calendar Instead of viewing only one entire month at a time, now you can scroll through the One Month view of the calendar 1 week at a time. For example, instead of being able to view only all of December or all of January, you can view the last few weeks of December and the first few weeks of January.
Drag the scroll bar slider to navigate to a specific month (a tool tip will tell you which month you are scrolling to) Click the up or down arrow of the scroll bar to navigate forward or backward by one week. Click within the scroll bar to navigate forward or backward by one month.
Scroll backward one month. - PgUp Scroll forward one month. - PgDn Scroll backward one week. Ctrl+PgUp Scroll forward one week - Ctrl+PgDn
101
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
New Weekly Planner in Calendar Notes 9.0 Social Edition includes a new Calendar view called Weekly Planner. The Weekly Planner shows the days of the week in a two-column format as shown below, which is similar to the Weekly view in the Notes Basic Client. You can scroll within a day to see more entries.
In the Weekly Planner, you can click Show > Show Available Times to see the times when no events are scheduled. If you select Show Available Times, it will show a day's available times like this:
102
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Color-code calendar entries by category You can now color-code your calendar entries by category. Note that this feature will override any existing Calendar Entry Colors settings on the Calendar & To Do > Colors preferences tab. To set category colors for calendar entries, choose File > Preferences > Calendar & To Do > Colors > Category Colors, and set color codes for your calendar event categories:
You can also assign colors for color-coded categories directly from the calendar entry form. From a new calendar entry, select the Assign Colors button.
103
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Check Calendar dialog box remains in view The Check Calendar dialog can be moved and sized, and now remains on top while you're interacting with Notes. Forward overlaid teamroom calendar as email You can now forward a teamroom calendar that you have overlaid into your Notes calendar as an email.
Calendar and Scheduling APIs for C SDK The Notes and Domino calendar and scheduling API enables application developers to create, modify, read, delete, or take calendar actions on calendar entries and meeting notices in a Domino mail file. The API encapsulates the complexities of Notes/Domino calendar data, including repeating meetings and notice creation, by utilizing the standardized iCalendar data format. A preliminary version of the API for the C SDK is included in CD2. Future Java & LotusScript APIs, as well as a REST calendar service may be built on top of this C functionality, but are not included in CD2. Specifics of the calendar functionality contained in the C SDK are documented in the calendarapi.h header file. Please provide any feedback regarding the API such that we can determine if further modification is needed before it is finalized. At this point the new API is not yet officially supported and is subject to potential modification or omission in future beta releases.
104
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If users aren't leveraging Live Text or Widgets, this will prevent any extra annotations.
To disable Live Text locally through preferences: 1. Click File > Preferences. 2. Click Live Text Note: If this option is not displayed, click Widgets instead. Click the checkbox Show Widgets Toolbar and the My Widgets panel , click OK, and then re-open preferences. 3. Under Live Text, de-select the only checkbox 4. Click OK.
If users plan to leverage other capabilities, depending on Policy settings users can disable specific content types including Person and Phone Number. To disable Content Types: 1. Click File > Preferences. 2. Click Live Text 3. Go to the Live Text Content Types section and uncheck the "Person" or "Phone Number" options, as desired.
105
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Search features
Improved Starts with /Quick Find experience Now you can find information more easily in Mail, Calendar, teamrooms, or any other view in Notes. You can now select which column to search (which also sorts automatically by that column), and if you're searching for a name, type-ahead will help you quickly find that name.
To use this feature, start typing in any view (or click Ctrl + F) and a dialog will appear, where you can choose which column to search and continue typing the information you'd like to find.
You can choose to search in any column in that view, or choose Any column to search in all columns.
106
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
In views with no columns, such as the One Week, or One month view in Calendar, you can choose to search just that view or search in the entire application. For example, if you're looking at the monthly view of April select This view to just search the month of April, or select All to search the entire Calendar.
Search results more easily sorted by selected view sort order The Show Results drop-down menu, which defines the view sort order for search results, has been placed more prominently in the View Search box. This allows you to change the sort order for search results without having to execute the search again each time.
Note: An application must have a full-text index in order for the user to see the Show Results drop-down menu; otherwise you will see a Not Indexed notification link.
107
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Search Mail and Archives at the same time Note: This feature is only available to Notes Standard client users. Notes 9.0 Social Edition allows you to simultaneously search your mail file and any mail archive applications you may have created. This option is available in the Search toolbar:
You can disable this option by selecting File > Preferences > Search > Search List and unchecking "All Mail and Archives" from the search list:
108
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
iNotes features
iNotes Calendar features Note: If you followed the CD3 instructions and manually set up INI commands to enable certain new calendar features, the features are enabled by default for CD4 and later, so you can remove the now unneeded CD3 INI commands.
iNotes 9.0 Calendar forms (Create, Edit, Notice) and Scheduler widget preview
Prerequisite: IBM Domino server installation with version 9.0 Social Edition CD6 and iNotes capabilities enabled Please post feedback on the new user interface in the Notes/Domino NEXT Design Partner Program forum.
Users have new, easier-to-read forms that are faster to use to schedule team meetings, as well as individual appointments, anniversaries, all day events, and reminders. To simplify the feature-rich calendar forms, less frequently used features are hidden, yet they remain available in a way that users can easily re-display them and use the features as needed. The new calendar forms are more integrated with the current mail experience and iNotes framework.
109
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The updated forms include these notices an invitee can receive: invitations, broadcast notices, reschedule notices, meeting updates, confirmations, cancellations, notices of being removed from a meeting, and delegation notices (from another invitee) The updated forms include these notices a chairperson can receive: counter-proposals, information requests, acceptance notices, decline notices, delegation notices, and tentative acceptance notices For meeting invitations, users can tell if they are available within the meeting notice. Users can also act on this new status and check their calendars or propose a new time to meet. When proposing a new time, users now have the option to add comments by default. Users no longer have to choose between Propose new time and Propose new time with comments ; they can simply add comments to a proposal or not.
z z
110
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
When a chair creates a meeting or an invitee proposes a new time for a meeting, both can use the new dynamic scheduler widget to easily drag and drop to select a time that accommodates attendee schedules. Users can do the following with the dynamic scheduler widget: Drag to change the meeting time or duration Notice green check marks over time columns that indicate that all invitees can attend at those times. While dragging over different times, notice that the drag bar changes between green and red to indicate whether all invitees can attend or not at the selected time. Drop the drag bar on a day boundary to auto-expand the time grid to 24-hour mode Quickly pick a recommended meeting time for all required attendees
z z z
z z
Users can schedule a meeting quickly while reading daily email with the new dynamic scheduler widget. Right-click on any document and click Find available time to open the new scheduler. Use the dynamic scheduler to pick your meeting time and then click Create meeting to schedule the event quickly.
111
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Simplified calendar entry colors Conflict indicators to show when two calendar events overlap in time (for example, see Tuesday at 10am). Gutter area to right of calendar entries that you can easily double-click and create a new entry with an overlapping time
Importing Contacts into iNotes You can import existing Microsoft Outlook contacts into your iNotes client by first exporting them from Outlook as a comma separated value (CSV) file, and then importing that file. Support for IBM Social Theme Support has been added to the current beta release for the IBM Social theme for iNotes. This theme provides a new, cleaner, more modern look to the iNotes 9.0 client. This theme is being adopted across the IBM product line for UI consistency. Return receipt generation control A new Domino server NOTES.INI setting called iNotes_WA_SendReturnReceipt enables iNotes users to set how to handle return receipts for incoming messages that request them. The NOTES.INI setting has the following values: iNotes_WA_SendReturnReceipt=2 return receipt for individual messages iNotes_WA_SendReturnReceipt=1 iNotes_WA_SendReturnReceipt=0 Display prompt giving user the option to send or not send a Always send return receipt (default) Never send a return receipt
112
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Paste images from clipboard with Firefox Firefox users can copy and paste images from the clipboard into the rich text editor of a mail message. Other browsers such as Internet Explorer, Safari, and Chrome are not supported because they do not support pasting images from the clipboard. Attachments area improvements A new and improved attachment HTML-based area is available across all browsers. This attachment area also supports drag and drop of files in recent browsers that support HTML5. Notes link improvements For 9.0, default links are Notes-only links, rather than web links, and the Notes links are represented by as in previous releases), new icons (rather than
If the NOTES.INI setting iNotes_WA_OfferNotesURLLinks is set to 1, then both Notes and web links are displayed, respectively, for a linked item.
Social Edition: New Widgets and Live Text support for iNotes NOTE: Widgets and Live Text features are only supported in iNotes client Full Mode iNotes provides the following support for widgets and live text in this release of Domino 9.0 OpenSocial component:
Widgets
z z z z z z
New My Widgets sidebar panel, providing a view of all installed widgets, plus browse catalog and update widget actions Drag and drop to install web and OpenSocial widgets from the widget catalog. Right-click and choose Remove to remove the installed widget. Open web widgets in a tab, window, floating window, or sidebar. Right-click on the widget and choose the corresponding Open command. Open OpenSocial widgets in a tab, floating window, or sidebar. Right-click on the widget and choose the corresponding Open command. Edit widget properties by right-clicking on a widget and choosing Properties. Web and OpenSocial widgets installable via policy by administrators (pushing widgets to end users)
113
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Live text
z z
Live text recognition and action execution is now supported in emails. Send selected text to a widget by selecting the text and double-clicking on the widget in the My Widgets sidebar panel. The widget must have a 'selected text' action configured for it.
In addition, the Notes Browser Plug-in does not support access to a user's mailfile; IBM strongly recommends using iNotes for mail access.
114
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Platform Support
z
The Notes Browser Plug-in is only supported on the Microsoft Windows platform (Windows 7 and Windows 8), and supports the following browsers and versions: - Firefox (Release 10 and above) - Internet Explorer (Release 8 and above)
Installation There are now 2 different ways of installing the Notes Browser Plug-in: either using a stand-alone package, or installing the plug-in during the installation of the standard client. IMPORTANT:
z
If you are installing the Notes Browser Plug-in using its own installer, then you must un-install prior versions of Notes from your system. Changes to support prior Notes client installations and migration of data are planned for after the current beta release. If you had used the "LotusNotesBrowserExtension.xpi" file from an early pre-beta release, you MUST remove that add-on from Firefox. To remove: Select Tools -> Add-ons in Firefox, select the Notes Browser plugin add-on, and remove it from the browser. Restart the browser.
NotesPluginMin - minimum, which does not have a JVM, which means that if you have an application with Java Agents, it will not work. NotesPluginMax - includes a JVM.
When you use either of the above installation packages, it will first uninstall any prior installation of Notes. It will then install the components required for the plug-in, and register the components in Firefox or Internet Explorer, or both if both browsers are available on the system. Once you complete this installation, restart the browser for it to detect the new installation.
115
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Select the "Notes Browser Plug-in" option under 'Notes Client' and select "Install this component on the local hard drive" to install the Browser Plug-in specific components on your system. Once completed, you will be able to use either your Standard Client, or the Notes Browser Plug-in. You cannot run both of them at the same time. Please read the "Known issues" section below for additional information.
116
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If you are using the existing Notes/Data directory, your Notes Client bookmarks are migrated to Firefox and internet Explorer bookmarks when you launch the IBM Notes Browser Plug-in. The migrated bookmarks will show up under a "Notes Applications" entry in the browser's bookmarks. This plug-in does not support access to a user's mailfile. We strongly recommend using iNotes for mail access. Once a Notes application or Notes document is opened inside the browser, you can leverage the browser's bookmark or type-ahead functionality to quickly re-open the application or document. Simply start typing the string which will match the application name in the browser's URL bar. Following are some examples of URLs you can use: Notes:Home Notes:replication Notes:workspace -- Opens the welcome page -- Opens the replicator page -- Opens the workspace
z z
Notes URL Syntax: Notes://[optional server]/[required database ] example URLs: (local DB -> notes:///journal.nsf, server DB -> notes://server1/test.nsf )
iNotes integration This code-drop supports tighter integration with the IBM iNotes Client. For this integration to work, you must have a working iNotes environment. Also, please add the following entries to your notes.ini file on the system where the Notes Browser Plug-in is installed: BrowserAllowiNotesMail=1 INOTES_SERVER_PATH=<servername> (in the format "xyz.ibm.com") Following are some of the functions that are supported:
z
Icon on the iNotes bar to launch the Notes Browser Plug-in (as seen below)
Clicking on an application link in an email received in iNotes launches the application in the Notes Browser Plug-in. Icon on the Notes Browser Plug-in menu bar to launch iNotes While looking at any document in the Notes Browser Plug-in, right-clicking on "Forward" will create a memo in iNotes with the current document embedded inside it. For this to work, the following things need to be set: - your mailfile or the primary server should have iNotes hosted - notes.ini settings as above.
z z
117
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
"Copy as table" in the Notes Browser Plug-in has been enhanced to copy view entries as an HTML table, so it can be pasted easily in an iNotes email. If you do not have access to an iNotes server, you can add "BrowserAllowNotes=0" to remove the icon for iNotes access.
Troubleshooting issues under Firefox After installing the IBM Notes Browser Plug-in, when you first open Firefox, it will ask the you to verify and 'enable' the plug-in. You must enable the plug-in and restart Firefox for the Browser Plug-in to work. If, after installing the plugin, a new version of Firefox is installed (new installation) or if the Firefox browser is upgraded to a new version, the option to enable the plug-in may not appear automatically. In that case, select "Tools -> Add-ons" and select 'Extensions' to find the IBM Notes Browser Plug-in Extension entry, then enable it manually. (SPR# AGAM92QHEA). Browser settings for Internet Explorer The following settings must be set in Internet Explorer (IE), to have the plug-in work properly:
z
Options to be checked: - Always switch to new tabs when they are created - A new tab in current window
Options to be unchecked: - Enable automatic crash recovery - Warn me closing multiple tabs
To run the Notes Browser Plug-in, Internet Explorer should run in disabled protected mode; by default, IE runs in protected mode for security reasons. Because of the protected mode, IE runs at "Low Integrity Level" and the Notes process runs at "Medium Integrity Level". Both IE and Notes should run at "Medium Integrity Level".
Notes does add some registry settings through the installer, in order to add Notes in Trusted Site Zones. The installer adds the "notes" = "(2)" entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults registry key. This key gets added for the user who installs Notes for the first time. In case of a multiuser install, users other than the installed user (generally administrator), do not have this key enabled in their registry settings. To overcome this issue, the logged user will have to make the following changes in their registry:
z z z
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - Add Name- notes Type- REG_DWORD Data - 2 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - Change the value for 1809 / add new entry as 1809 Type - REG_DWORD Data - 3 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - Change the value for 2500 / add new entry as 2500 Type - REG_DWORD Data - 3
118
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Everything in the Social Gadget Specification, except for osapi.people.getViewer, osapi.people.getOwner, <os:ViewerRequest>, and <os:OwnerRequest>. The Social API Server Specification.
Notes and iNotes Social Edition are OAuth 2.0 and OAuth 1.0a consumers, and gadgets can leverage these technologies to make requests to OAuth-protected web services. OpenSocial gadgets can make requests to web services via gadgets.io.makeRequest or osapi.http.* (OAuth requests must be made through gadgets.io.makeRequest). OpenSocial gadgets may contribute actions and get the current selection in Notes or iNotes. Services can use OpenSocial gadgets and URLs to provide embedded experiences in mail. See the "Embedded experiences" section of this document for additional details on this functionality. OpenSocial gadgets can open dialogs (modal and non-modal), tabs, and sidebars using the gadgets.views.open* APIs in OpenSocial.
z z z
Embedded experiences Embedded experiences allow application developers to embed content from their applications inside OpenSocial 2.0 containers, like a gadget or a simple web page. Containers and gadgets which support embedded content can choose to render this content as an embedded experience. Embedded experiences can be placed in emails using the MIME standard. For example, in addition to plain text and HTML, MIME types for JSON-based and XML-based applications can be embedded directly in an email. Notes Social Edition and iNotes Social Edition both support embedded experiences in email.
119
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Gadget actions and OpenSearch A gadget can contribute actions to the Notes and iNotes clients. These actions can be contributed by the context menu and either the top-level menu (Notes only), or the toolbar menu (iNotes only). A gadget may contribute actions to specific objects, such as mail messages, contacts, and attachments (Notes only), and display in the context menu when selecting and right-clicking those objects.
In addition, in iNotes, actions on files are contributed to the attachments toolbar. When run, the action opens the parent gadget and runs some JavaScript, which may or may not act on the current selection. The action can specify both the gadget view in which it should open (for example, profile, default, or canvas), and the view target, which is the type of Notes/iNotes view in which the gadget should be opened (for example, tabbed page, sidebar, floating window, or dialog box). If no view is specified, the action runs in the default (or current, if open) view of the gadget, and if no view target is specified, the action runs in a floating window. NOTE: If multiple instances of the same gadget are open, the action runs in all of those views. If any instance of the gadget is open, the action runs in that instance, no new instance is opened, and the view target is ignored.
120
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
This action binds to any opensocialPerson object which, in the Notes context, means, for example, the sender in your Inbox or a contact: <action id="os.test.person" dataType="opensocial.Person" label="Person Action" tooltip="Person Action" /> This action binds to an opensocialPerson object and opens in the profile view inside the gadget: <action id="os.test.person.blue" dataType="opensocial.Person" label="Profile Person Action" tooltip="Blue Person Action" view="profile" /> This action binds to an opensocialPerson object, opens in the canvas view inside the gadget, and opens the gadget in a new tab: <action id="os.test.person.blue.tab" dataType="opensocial.Person" label="Tab Person Action" tooltip="Blue Tab Person Action" view="canvas" viewTarget="TAB" />
OpenSearch
Gadgets that implement the opensearch feature contribute the search engine described in the feature to the Notes Search Center. For example, a gadget containing the following feature declaration contributes CNN.com search to the Notes Search Center. (See image below.) The user can then search the CNN web site from inside the Notes client.
Feature declaration
<?xml version="1.0" encoding="UTF-8"?> <Module> <ModulePrefs title="CNN Search"> <Optional feature="opensearch"> <Param name="opensearch-description"><![CDATA[<OpenSearchDescription xmlns=" http://a9.com/-/spec/opensearch/1.1/" > <ShortName>CNN.com</ShortName> <Description>CNN.com Search</Description> <InputEncoding>UTF-8</InputEncoding> <SearchForm>http://search.cnn.com/</SearchForm> <Url type="text/html" method="get" template="http://www.cnn.com/search/?query= {searchTerms}"> </Url> </OpenSearchDescription> ]]></Param> </Optional> </ModulePrefs> <Content type="html"><![CDATA[ Hello, world! ]]></Content> </Module>
121
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
OpenSocial actions in Notes and iNotes The below table outlines the location in Notes or iNotes where a developer will find various OpenSocial action types and paths, for gadgets they are developing: Type opensocial.Pers on opensocial.Mes sage opensocial.File Product iNotes Notes iNotes Notes iNotes Notes Where Contacts area view context menu Contacts view context menu, Live Name Context menu, Sametime buddy list context menu Mail area Inbox/Folders view context menu Mail area views/Folders view context menu Mail (reading, not editing) message attachment area toolbar button Any attachment in a document, right click menu
122
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Product Notes
Where Contribute to the notes application menus. container/menus/File/New will place an action in the File -> New Notes menu Contribute a toolbar button to the Notes toolbar
Notes
Creating OpenSocial Widgets In Notes Social Edition 9.0, there is a new widget type: OpenSocial Widgets. The widget type supports creating widgets based on existing OpenSocial Gadgets. A widget developer can create an OpenSocial widget by using the new OpenSocial widget wizard. OpenSocial widgets can be used like other widget types in that you can perform these tasks:
z z
Open them in a tab, new window, floating window, or in a sidebar panel Wire live text to widget actions
An OpenSocial gadget can also provide advanced features (such as using APIs, OAuth, and rendering in an embedded experience) as detailed in the Social Gadget Specification. Due to the use of advanced features, OpenSocial widgets need to be approved by an administrator before they are made available for client use. When a widget developer creates the widget, the developer needs to publish the widget to the corporate widget catalog. The widget catalog administrator then needs to approve the widget. Once approved, Notes and iNotes 9.0 users can install the widget from the catalog and render the widget in their clients. The widget developer can create OpenSocial widgets using: 1. The "Getting Started with Widgets" toolbar action or Tools > Widgets > Getting Started with Widgets command 2. The My Widgets sidebar panel menu Configure a widget from > OpenSocial Gadget command 3. The "Configure a widget from the current context" toolbar action when an OpenSocial Gadget is open in the embedded browser.
123
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Option 1
Open the widgets Getting Started wizard using the toolbar action --
-- or by using the Tools > Widgets > Getting Started with Widgets command. The following dialog box displays:
124
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
You can select the OpenSocial Gadget option and click Next to open the getting started wizard for OpenSocial Gadget:
If you choose the Browse the OpenSocial Gadget directory option, an embedded browser tab opens a site where you can search for a gadget. When you find the gadget you want, skip to to Option 3 below. If you choose the Add an OpenSocial Gadget option, type the URL for the gadget you want to use and click Next.. The URL goes to the gadget descriptor (.xml file).
125
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The next wizard page downloads the gadget definition from the URL you specified:
126
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
You then see the OpenSocial Widget Feature Capabilities wizard page.
This page lists feature capabilities that the gadget is using. Each feature is listed as Required or Optional as it is listed in the gadget definition. Widget developers can use the Permission column to disable or enable optional features. NOTE: If there is at least one Required feature that is not supported by the client, the widget developer is not allowed to create the widget.
127
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If you click Next, the Configure OpenSocial Gadget Views wizard page displays. You use this page to specify which gadget-supported view to use when rendering the gadget in a particular view target. All views supported by the gadget are listed in each drop-down box.
You can click Next to see the wizard page for specifying the widget name and what you want to do with it (as seen in other widget wizards). If you choose to create a live text action, clicking Next displays the wizard page for creating an action (as seen in other widget wizards). If you then click Next, a wizard page displays, with a summary of the widget you are creating. Clicking Finish creates the widget and places it in your My Widgets sidebar panel.
Option 2
You can use the My Widget sidebar panel menu to select the Configure a widget from > An OpenSocial Gadget command.
This starts the same Start Configuring Widgets wizard for OpenSocial Widget as shown in Option 1 above.
Option 3
128
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If you have an OpenSocial gadget open in the embedded browser, you can click the 'Configure a Widget from Current Context' toolbar button:
You can then click Next to proceed through the OpenSocial widget wizard as described in Option 1 above.
129
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The URL field does not need to match the URL widget itself. The URL field can contain a wild card so that many URLs from the same site can be trusted to be embedded in an email. NOTE: Host names cannot contain a wild card. Example:
z z
Widget URL: http://my.server.com/directory/file.html Embedded experience URL: http://my.server.com/directory/* In this example, when you open the widget, it will navigate to http://my.server.com/directory/file.html. For use in an embedded experience email, any URL that begins with http://my.server.com/directory/ will be allowed.
130
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Other features
Discover page The Notes 9.0 Social Edition client introduces a new home page called the Discover page. With the Discover page, users can find targeted Notes client information more quickly and easily, including what's new in the release, introductory material for new users, and helpful hints and tips. There is also a "Quick Links" tab that allows users to launch their workspace, Mail, Calendar, and other Notes applications they have recently used, in addition to other resources, such as the Notes and Domino wiki. Please note: A user who has customized their home page prior to the Notes 9.0 Social Edition release will still show that custom homepage in the Notes client. Support for IBM Social Theme Support has been added to the current beta release for the IBM Social theme. This theme provides a new, cleaner, more modern look to the Notes 9.0 Social Edition client. This theme is being adopted across the IBM product line for UI consistency. The new look is implemented as an additional theme available to the end user; choose File - Preferences - Windows and Themes , and select the IBM Social Theme. The end user still has the ability to select any of the other themes, in addition to this new theme.
131
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Default preferences have changed Some default preferences have changed in the current release of Notes, as outlined below:
z z
The new IBM Social theme is turned on by default. If you use pop-ups for new mail notification, youll now see an unobtrusive slide-in alert at the bottom of the screen.
To change this default behavior, select File > Preferences > Mail > Sending and Receiving to choose a different option.
z
Email message tabs are automatically closed after you have replied to, or forwarded, an email. To change this default behavior, select File > Preferences > Mail, and uncheck the "Automatically close original e-mail when replying/forwarding" option. Your most recent email messages will now appear first in your Inbox. To change this preference, select File > Preferences > Mail, and uncheck the "Most recent on bottom" option. Notes now processes all meeting updates automatically, and keeps your meetings up-to-date. New meeting notices automatically appear in gray on your calendar, before you accept them. To change this setting, choose File > Preferences > Calendar and To Do > Display > Views, then uncheck the "Display new (unprocessed) notices" option. Notes contacts are set up to synchronize with iNotes and/or mobile devices during replication.
z z z
New keyboard shortcuts Several new keyboard shortcuts and commands are available, that allow you to navigate Notes in a more familiar fashion:
z z z z z
Ctrl+1, 2, 3 - Open Mail, Calendar, or Contacts, respectively, from anywhere in Notes Ctrl+R - Reply to mail or calendar entry Ctrl+Shift+R - Reply to All on mail or calendar entry Ctrl+Alt+V - Paste Special Ctrl+Shift+V - Past as Plain Text
132
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Open Mail, Calendar, Contacts, or homepage in one click There are new icons next to the Open button, which you can click to open Mail, Calendar, Contacts, or the Notes homepage. These buttons are available no matter where you are in Notes.
You can choose to hide the buttons as well, by right-clicking and selecting "Hide ____ Shortcut Button." To display a button again, click View > Show Shortcut Buttons , and then select the buttons to show or hide.
133
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Use the mini-view to see work at a glance The mini-view allows you to see notices, follow-up messages, or to-do items in the left navigator of your Mail or Calendar view. The mini-view is collapsed by default; simply click the mini-view to open it.
Iberian Portuguese dictionary file available A dictionary file for Iberian Portuguese (pt) is available for installation from the IBM Notes 9.0 Public Beta download site. Mac Cocoa support The Notes Mac Client has been upgraded to support Apple's Cocoa UI rendering libraries. Although the User Experience in almost all cases is unchanged, we are looking for your feedback on anything that appears to work differently or not as expected.
134
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
New toolbar option A new toolbar menu now includes the option 'Show Toolbar Only When Editing'.
Improved integration with Lotus Protector As part of an improved integraion with Lotus Protector The "Block addresses" action in Notes mail will now present an improved dialog to allow blocking of domains.
Federated login (SAML) Federated login, based on a standard called Security Assertion Markup Language (SAML), extends trust between web sites that act as identity providers to other web sites that are service providers. Depending on how your Domino administrator has implemented federated login, you may be able to re-use your password for certain external web sites that are trusted service providers to your organization. Or, as an example, you can supply your Kerberos password and access a Domino Web Server. Check with your administrator for details on trusted service-provider web sites. This is similar to how Notes Shared Login works, with two main differences: only administrators can control whether federated login is turned on, and federated login works with Citrix. For more information about federated login, please see the Domino Server portion of this document.
135
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Granting access to OAuth -compliant Web applications The Domino server can now use a credential store, which is a secure repository for document encryption keys and other tokens necessary for Notes and iNotes client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts. If a Notes or iNotes client user runs the Social Edition OpenSocial component, a credential store provides the following benefits:
z z
iNotes users accessing their mail are protected from cross-site referral forgeries across a cluster. Notes users can authorize a Domino server application to access their resource data on an OAuth-compliant Web site without additional password prompts.
Client users take no action to configure the credential store; it is entirely set up and managed by the Domino administrator. For more information about the credential store, please see the Domino Server portion of this document.
Patches
All patches are posted separately to the download site. See the main Public Beta announcement for instructions on installing them.
Fixes
The items listed as fixed in Notes 9.0 Social Edition are cumulative, and may or may not be included in the currently available beta release. If you can easily test an issue out to confirm, we recommend you do so; otherwise you can request updates on specific SPRs listed in the fix list via the available beta forums. The fix list is available at the following website: http://www-10.lotus.com/ldd/r5fixlist.nsf/Public?OpenView
136
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Known issues
This section captures general issues that have the potential to hamper your use of the IBM Notes 9.0 Social Edition Public Beta client, and offers workarounds where possible.
137
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Windows: File icons may not be updated On Windows XP, after upgrading from Notes 8.5.x to Notes 9.0 Social Edition, the icon for *.ics files, and other files to be opened by Notes, still display with an older, yellow-colored appearance in Windows Explorer; the expected icons should be colored blue. By default, Windows uses icons stored in IchoCache.db to display icons, so file icons will not even though the Notes icon has been changed. As a workaround: 1. Press Ctrl+Alt+Del to start the Task manager - on the "Process" tab, find explorer.exe, and kill it by clicking "End Process". 2. In Task manager, open a DOS command window, type cmd, and click Enter. 3. In the command window, remove IconCache.db by typing del C:\Documents and Settings\<User>\Local Settings\Application Data\IconCache.db /a 4. Restart the system. This issue is being tracked by SPR # FFJJ8ZJAGM Windows: Client may hang when selecting section , if running YouDao dictionary The Notes client may hang when you select a section, if you are running the YouDao dictionary. This issue is being tracked by SPR # YYYY92UBQV Mac OSX: Upgrade from earlier beta release requires uninstallation Notes will fail to launch if you are upgrading from an earlier beta release to the Notes 9.0 Social Edition Public Beta build with 'OpenSocial component' selected As a workaround, before upgrading to Notes 9.0 Social Editon, uninstall the earlier beta social add-on (run sudo ./addonUninstall.sh, which you can find in Notes854_EEAddOn_mac_cd5_prod.dmg) or uninstall Notes completely before upgrading. This issue is being tracked by SPR # XTCN92UCBC Mac OSX: Notes federated login (SAML) may encounter form with no data If you have configured your Notes client for Notes Federated Login on Macintosh, and you start the Notes client, you may be unable to log in for one of two reasons:
z z
If the related IdP is configured as form-based, then the Notes client will display a blank log-in form page with no data, which will prevent you from logging in If the related IdP is configured as Kerberos-based, then the Notes client will hang, preventing you from logging in
As a workaround, the side patch for SPR# KKSS8XNARP, available from the Public Beta download site, can fix this issue. This issue is being tracked by SPR # HFCG8XLEB3
138
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Mac OSX: Roaming user may hang exiting Notes client If you are a roaming user on the Mac Notes Client, you many hang when exiting the client if you have the Replication and Sync page open and answer Yes to the prompt about updating the server. As a workaround, close the Replication and Sync tab before exiting the client, or answer No to the "update the server" prompt. This issue is being tracked by SPR # AJAN8XUK6M Mac OSX: Some file types may not be viewable The viewer function that uses KeyView library on Mac does not support spaces in its execution path. In this release, the Mac Notes pathname is "IBM Notes.app", which is also part of KeyView's execution path, and contains a space. Because of this, .ppt, .pptx, .odp, .pps, .sxi, .cgm, .wpg, .pre, .prz, and .sdw files cannot be viewed. This issue is being tracked by SPR # XXFF922BPX Mac OSX: New mail and calendar forms may not accept input After running for 2-3 days, new mail and calendar entry forms will no longer accept keyboard input on Mac 10.8. This issue is being tracked by SPR # GKYU927F22 Linux: Deprecated packages required for Notes client On Linux, the Notes client depends on deprecated packages: libgnomeprint and libgnomeprintui. As a workaround:
z z
On RedHat, configure YUM, and install Notes by using yum -install <Notes rpm> On Ubuntu 10.04/12.04: Ensure internet is connected, and double-click Notes installer(deb) to install it via GUI.
This issue is being tracked by SPR # YYSN895973 Linux: Do not launch Notes as root (Ubuntu) An additional "IBM Notes 9" menu will be added under 'Applications > Office', if a user tries to launch Notes as root. Users should not launch Notes as root, and "Error Code 493: Do not run as root" will be displayed on screen. This use case is not supported by rpm/deb Notes. This issue is being tracked by SPR # SNIR92HCWB Linux: Scroll bar in Java portions may not work On Linux Ubuntu 12.04 (Unity), in Java portions of the Notes client, the prompt line for the scroll bar will display, but cannot be expanded with the mouse pointer. This is a third-party issue which is being tracked by https://bugs.launchpad.net/unity/+bug/890986. As a workaround, use the keyboard or mouse wheel. This issue is being tracked by SPR # YYSN8NFE9P
139
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Linux: Order of items in menu bar displays incorrectly On Linux Ubuntu 11.10/12.04 (Unity), the order of items in the menu bar is incorrect when switching focus between different parts of Notes. This is a third-party issue which is being tracked by https://bugs.launchpad.net/bugs/904275. As a workaround, set an environment value for Notes only. Open a terminal, type "export UBUNTU_MENUPROXY=0", then launch Notes by command. This issue is being tracked by SPR # YYSN8NFFT6 Linux: Clicking Notes Document links displays error message This issue was seen using Linux Ubuntu 12.04 (Unity) and RedHat 6.3. When you click on a Notes Document Link, the error dialog: "Notes is not a registered protocol" pops up, and the Notes document can not be opened. This issue is being tracked by SPR # JRBJ8YB5KT Citrix: User cannot launch Notes after reinstall , with custom data location When upgrading to IBM Notes 9.0 Social Edition from a previous version of Notes, on a Citrix server using the MULTIUSERCOMMONDIR property, the previous Lotus\Notes\Data\notes.ini file will be left in the MULTIUSERCOMMONDIR directory. This file will prevent the Notes client from starting for users who have not previously run Notes. The solution is to manually remove this file after the installation finishes. This issue is being tracked by SPR # XTCN92KEQW Calendar: Exporting a repeating meeting as an ICS file then re -importing it may cause a crash There is an issue that affects users who export their Calendar contents as an .ICS file, and then import the contents back into their Calendar; this does not affect normal .ICS file use, such as simply importing new content. Normally when Notes detects that the data in an iCalendar .ICS file already exists in the user's Calendar, Notes will notify the user and ask them if Notes should overwrite the existing entries or not. If the user agrees, the existing calendar entries are removed and the import continues. If the user disagrees, the import does not happen. This behavior has changed - instead of removing the existing documents, and new documents being created, the existing documents are not removed, and Notes can crash. This does not happen on every Notes installation but on installations where it happens once, it will happen consistently. As a workaround, manually remove the entries that are identified by Notes as being duplicates; if they are removed manually, there are no entries for Notes to attempt to remove. Or, avoid reimporting iCalendar entries that already exist on the Notes Calendar. This issue is being tracked by SPR # FFJJ8XND69 Client UI: Open list icons look the same for different themes For the current beta release, the Open list for both the Notes 8 Theme and the IBM Social Theme uses monochromatic icons for all of the items in the default Open list. For the final release, the Notes 8 Theme will display the correctly-colored icons. This issue is being tracked as SPR# DBRO92HJF6
140
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Client UI: Mail with DBCS may display incorrectly on Win 7 64-bit Mail containing DBCS characters may display badly on a Windows 7, 64-bit machine. When the font name of the text in a document is incorrect, Notes may not handle the document properly, and displays the text with an incorrect font. This issue is being tracked as SPR# XXFF8ZLC5M Client UI: Toolbars disappear in documents opened for editing There is a known issue where toolbars may disappear in documents that have been opened for editing. As a workaround, click within the document or disable the "Show Toolbars Only When Editing" option from the 'View -> Toolbar' menu. This issue is being tracked as SPR# SLAE92QP2R Client UI: XPages toolbar may not appear in context There is a known problem with the XPages toolbar in the in Notes client. The toolbar does not appear when the "Show Toolbar only when editing" option is selected in Notes. To use the XPages toolbar in Notes, please deselect the menu option "View -> Toolbar -> Show Toolbar only when editing". This issue is being tracked as SPR# EGLN923NXL Client UI: Cannot drag-and-drop to RTF field Dragging-and-dropping a Mail view or Folder to a new mail message does not create the view/folder link in the message. Instead, a prompt is shown to the user with the message "Getting View Information". Clicking 'Yes' on that prompt displays the same message after a short delay, clicking 'No' on the prompt stops it from being shown, but the link is still not created. This issue is being tracked as SPR# HPXG923B7S Instant Messaging : Notes may crash transferring empty folder on Mac OSX In a chat window, if you select an empty folder to send to another user, you will see an 'empty folder' notification message, and Notes may then crash. There is currently no workaround for this issue, so please be sure to send a file instead of an empty folder. This issue is being tracked as SPR# YJLN8WS9MV
141
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Instant Messaging : Notes may crash changing contact list font on Mac OSX This issue appears in the following scenario: 1. Launch Notes and log into Sametime 2. Show both the Sametime Contacts panel and the Sametime Primary Contacts panel (display the Primary Contacts using the Classic view). 3. Select Preferences -> Sametime -> Contact List -> Contact List font 4. Change to another font and size, and click OK. 5. The Sametime Contacts panel is refreshed correctly, but the Primary/Recent Contacts panel does not show members at all (the panel is blank, with only an arrow icon) 6. Click the arrow icon in the Primary Contacts panel, or try to display this panel with another view, i.e., switching between Primary/Recent/Frequent Contacts. Notes may then crash or hang, because the Primary Contacts view is not immediately refreshed after the font is reset, and the old fonts have been disposed. As a workaround, reboot Notes. This issue is being tracked as SPR# YJLN8XV3SJ Instant Messaging : Drag-and-Drop issue on Mac OSX On Macintosh OS X, in embedded IBM Sametime, if you drag a person or group from the Contacts panel to the Sametime Primary Contacts panel, Notes may hang and eventually crash. This is more likely to happen if you repeatedly drag items. As a workaround, instead of dragging people to the Sametime Primary Contacts panel, use the menu action by right-clicking on the person and selecting "Add to Primary Contacts." This issue is being tracked by SPR # MLUO8VDAZL Instant Messaging : Business card "sticks" on Mac ("Cocoa" platform) Notes builds with Macintosh "Cocoa" support show a Business Card display issue. When you bring up the Business Card in Notes, for example by hovering over a livename, it typically gets dispersed when you hover away from the card. The problem is now when you switch to another application while the Business Card is still open, it won't be dispersed when you hover away from the card to the other application. To work around this issue, hover away from the card, and back to Notes. Note: to get around similar disposal issues, the BusinessCard was replaced with the old Sametime card in some places. This is just a temporary solution until the disposal issues are resolved. This issue is being tracked by SPR # YYSN8UTG8E Instant Messaging : Video always seen as black screen on Mac ("Cocoa" platform) There is a known issue where video is always seen as a black screen during a 3-way video conference call, when a Macintosh user is the moderator. Sometimes the video will flash and then disappear. As a workaround, set the 'incoming_video_formatting' flag to "none" in the preferences.ini file of the com.ibm.collaboration.realtime.multimedia.phonegrid plugin, at eclipse\plugins\[location for the moderator], and restart Notes. The video will then be seen without any issue. This issue is being tracked by SPR # MLUO8VTCHQ
142
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Instant Messaging : Video window in 2-way call restores to original size on Mac ("Cocoa" platform) If a user resizes their video window to a bigger screen, or clicks on full screen, during a video call, and then does a video control operation such as "Mute/Unmute", or "Stop sharing my window/Share my window", the video window restores to its original size. There is currently no workaround for this issue. This issue is being tracked by SPR # MLUO8WTCTR Instant Messaging : Sametime Quick Find and Chinese input method issue on Mac ("Cocoa" platform) There is a known issue in the embedded Sametime Quick Find feature. If you are using the Chinese input method to enter characters, and click the Sametime buddy list before finishing input, it will cause the Notes UI to display incorrectly, and will ultimately crash the client. The workaround is not to do any other operation before finishing inputs to Quick Find with the Chinese input method. This issue is being tracked by SPR # MLUO8V25XA Discussion app: All Documents view not correctly rendered The All Documents view may render incorrectly, making it difficult to click on document links. This issue is being tracked by SPR # LHEY8WDHW Discussion app: Navigating back to main view (mobile) may not work Navigation back to the main view on a mobile device does not work after deleting a reply document. This issue is being tracked by SPR # LHEY8XFLL Teamroom app: Status Reports view (mobile) may cause runtime error The Status Reports view on a mobile device may cause a runtime exception, as it tries to resolve an unknown column reference. This issue is being tracked by SPR # LHEY8XFLG9 Teamroom app: Send to Reviewers not working The "Send to Reviewers" email notification may not work in the current TeamRoom template. This issue is being tracked by SPR # LHEY8XGGLG Teamroom app: Anonymous user sees exception when opening a document An anonymous user may see a "HTTP Web Server: Item Not Found Exception" message when opening a document. This issue is being tracked by SPR # LHEY8WSDCU
143
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Teamroom & Discussion app: View caching issue affecting mobile template use Page handling on page transitions may not be functioning correctly, making the mobile templates very difficult to use. This issue is being tracked by SPR # LHEY8W2FUC Teamroom & Discussion app: Dojo 1.7.2 upgrade may affect tag cloud An upgrade to Dojo 1.7.2 resulted in the tag clouds being broken in the Teamroom and Discussion application templates. This issue is being tracked by SPR # DEGN8RHJRX Replication: Automatic replication start may not work Replication may not be started automatically on Notes start up, even when the preference is enabled. Replication will start when users open Notes content such as Notes Mail, Calendar, a Notes Application, or the sidebar Day-at-a-glance. This issue is being tracked by SPR # JSKR8Y59H6 Search: Pressing "delete" may not delete characters in the 'Find' dialog When the Chinese input method is enabled, some Notes views will see the following issue. If you type "Shift -", there is a "" displayed in the 'Find' dialog; trying to clear it using the Delete key is unsuccessful. As a workaround, press the Delete key again; on Mac, use the "delete" key on the keypad. This issue is being tracked by SPR # YYSN92N5WD Search: Closing 'Find' dialog may not work correctly When the Chinese input method is enabled, typing "Shift -", then seeing "" displayed in the Find dialog, clicking the Close button will trigger the Find dialog again, on Windows machines. On Mac, this may actually break the Find dialog itself, for some Notes views. For example, switching to a basic Notes view while the Find dialog is still open, and then attempting to close the dialog by clicking on the Close button or the X for the window, will disable the Find dialog for any basic Notes view again. To workaround this issue, open a document and press "Command+F" to bring up a Find dialog, then switch back to a basic Notes view, and Find will start to work again. This issue is being tracked by SPR # YYSN92N5PA Search: Quick Find may not display some names The Quick Find feature is expected to search for both Notes addresses (John Acme/US/IBM) and internet mail address (jacme@ibm.com), for the same contact. In the current release, Quick Find only shows the Notes address for a contact. There is currently no workaround for this issue. This issue is being tracked by SPR # JHYI8V8S6R
144
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
145
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
On Firefox, Safari and Chrome, an error may be encountered if a draft calendar entry with no invitees is saved and reopened (YJSI8XLDLG) A user added to an existing meeting as Optional or FYI may not see the other meeting invitees on the meeting invitation. The other invitees will be displayed once the invitation is accepted (MCHN8XGC8X) On a new calendar event, a time entered by typing in the value rather than using the timepicker may not be preserved once the event is saved or the invitation is sent (SANR8XNPLP) Adding and removing a room and resource to an existing meeting in a single update may result in the resource not being removed from the meeting update (SANR8XVMYS) If an invitee declines an invitation to attend a repeating meeting invitation, they cannot re-open that invitation at a later time to accept; they will see the error message: "A problem has occurred which may have caused the current operation to fail". If the invitee picks 'Decline but keep informed of updates' then updates from the chair will still work. (YJSI92A8XK) When a Chair sends out a meeting request to 2 or more invitees who accept, if one of the invitees then couterproposes a new time and the Chair accepts the counterproposal, invitees will not receive reschedule notices (GKLA92FMTB) When a Chair sends out a meeting request to one or more invitees, then performs an update to the meeting like changing the location or a category, the "Private" setting on a meeting can be lost. This means that a delegated user may now see entry contents which may not be intended. (SANR8YVJ6S) Users are unable to change the date on a weekly repeating reminder; each time you try and save it, the reminder changes back to the original time. (GKLA8ZZ4VH)
z z z
Some web widgets might not be able to render in a tab, sidebar, or floating window, as these areas use iframes. Any web page that is not allowed to be rendered in an iframe will not be able to render in these areas. Web widgets will be able to render if you open them in a new window. Web widgets that are created from web forms will not be supported in iNotes When deploying OpenSocial, a user could lose widget data if: 1) The user's mail is a replica that saves space using a custom selection formula rather than the Remove documents not modified in the last N days option; and 2) the user or server's automatic widget update has not performed any data changes for the user in a time period that exceeds the custom selection formula criteria. Live text does not work when opening an email message in a new window.
z z
146
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Domino Designer
Purpose of this Public Beta
Introduction
The purpose of this Public Beta is to demonstrate new aspects of IBM Domino Designer and some of its related tools, and to collect feedback on specific aspects of the Domino Designer product.
The identity of the current release of Notes and Domino has changed from "8.5.4" and "8.5.4 Social Edition" to "Domino Designer 9.0 Social Edition." The term "9.0 Social Edition" refers to the overall release, and not a particular component or feature. This change will be visible in several areas of the product, such as splash screens, Help/About screens, install panels, and consoles. The add-on install packages for Notes and Domino that were previously called "Social Edition" have been renamed to "Domino Social Edition Embedded Experiences Add-On," and the Notes Application Plug-in has been renamed to "IBM Notes Browser Plug-in".
The log file will also contain the following information: 15:13:16.7342SEVERE CWPPR0067E: The install request for feature com.ibm.xsp.extlib.feature conflicts with another request for the same feature. IMPORTANT for users with any previous installations of any OpenNTF Extension Library - You must UNINSTALL any OpenNTF Extension Library that you may have installed in the Notes client BEFORE you install the Social Edition Beta. IMPORTANT for other users : Before installing this Public Beta software , you must first uninstall your existing Notes version . You cannot upgrade from an existing Notes version to this Public Beta code. The following installation information is provided in this section to assist you in using Domino Designer for this Public Beta,
147
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Software requirements
the Public Beta version of the Domino server https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-ldnext beta the Public Beta version of the Notes client https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?lang=en_US&source=swg-ldnext beta
Installing Domino Designer The Notes client supplied for this early release should be installed on a non-production system as upgrade and downgrade testing has not been emphasized for this early release. It is recommended that you do a clean install and specify the default file path (for example, C:\Program Files\IBM\Lotus\Notes). Note: Be sure that the target directory is new and empty; do not specify an existing folder. You must specify a new and empty directory in response to this prompt. This is the directory in which the additional files, or framework, that are part of IBM Notes.Next Beta but not part of traditional Notes, are installed.
z z z
Start the Installer. Read the preview screen for installation directory, features, and size - make sure that you choose Domino Designer as one of the features you wish to have installed. Click Install.
Patches
All patches are posted on the download site. See the main Public Beta announcement for instructions on installing them.
You may see discrepancies between the Domino Designer interface and what is actually documented in some of the documentation plugins and Public Beta documentation.
148
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
149
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The toolbar button is always available in the Domino Designer, XPages, Debug, Java, Plug-in development and Resources perspectives. It is hidden by default in all other perspectives. The button serves as a clickable button, or as a drop down menu button. Clicking on the actual toolbar button will have one of two effects:
z
If a Server Side JavaScript Debug Configuration does not exist, and a Remote Java Application Debug Configuration does not exist; then a new Server Side JavaScript Debug Configuration will be created, and will be selected in the "Debug Configurations" dialog. If a debug configuration already exists then the last run configuration will be launched, without the Debug Configurations dialog being surfaced.
Clicking on the drop down arrow will reveal a sub menu. If there are no debug configurations in the current workspace, then the "Manage Debug Configurations" menu item will be the only one available.
150
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Selecting this menu item launches the Debug Configurations dialog and automatically creates a Domino Designer JavaScript Configuration:
151
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The configuration UI has been updated to contain specific details on how to configure a server so that it can be debugged. The relevant text is selectable:
If debug configurations already exists then the drop down menu item will show those configurations:
152
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
First - any/all of the Server Side JavaScript configurations will appear (alphabetized). Second - any/all Remote Java Application debug configurations will appear (alphabetized). Last - the Manage Debug Configurations.. menu item will be available.
Clicking on any of the configurations in the list will cause that configuration to be launched without the Debug Configuration dialog being invoked. Pressing the Manage Debug Configurations... menu item will cause the Debug Configurations dialog to be launched and the first configuration in the list will be selected automatically. Error cases In any case where the configuration fails to establish a debug connection with the server/preview server, an error dialog will be presented explaining what has happened, and how the server needs to be configured to establish debug connections (note the configuration text is also selectable in this dialog):
153
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Breakpoint locations are not validated in Designer, so be careful to make sure you are placing a breakpoint on an executable line of code.
Conditional Breakpoints
It is possible to create a Boolean condition which will be evaluated dynamically during debugging to determine whether to stop at the given breakpoint. To set a breakpoint condition, right-click a break point, and choose "Breakpoint Properties..." to bring up its property dialog. The expression will be evaluated in the context of the executing JavaScript at the location of the breakpoint, and should evaluate to a Boolean. A true value means the execution will stop at the breakpoint. The editor for the condition is a plain text field; there is no JavaScript syntax checking or highlighting. Be careful to enter valid JavaScript, otherwise the breakpoint will be ignored (will not stop).
154
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If your application is not yet open in the Application view, open it now. Otherwise, Designer will not be able to open the actual design element editors when displaying code - it will display a 'stub' editor (with the title "Debug Editor"). It is not necessary to open any of the design elements in an editor, it is enough to simply expand the application in the view. If the debugger opens an editor with the title "Debug Editor", this means it was unable to open the design element, you should first check that the application is open in the Applications view. If you have the Configuration dialog still open, click the "Debug" button. Note: You can open the dialog again using "Debug IBM Domino Designer JavaScript" - > "Manage Debug Configurations..." menu item or toolbar item. Once a connection with the target server is successfully made a status message will be displayed in the status bar ("Debug connection successfully created using [server] on port [port number]"):
z z
Once connected, run your application (for example, open a page from the browser). If the application suspends, your browser will wait, while Designer displays where the application execution is suspended along with the values of all of the relevant variables.
Debug (stack frame) View - This view tab shows the current stack frame. The Java stack is also shown, though this is not important to debugging SSJS. Instruction Pointer annotations in the editor (arrow and highlighted instruction) - When stopped at a breakpoint, the editor for the SSJS that is currently suspended is opened and the related instruction pointer annotations appear. When opening the XPages editor, the source tab is automatically brought to focus. An arrow in the left margin of the editor indicates where the execution of the code is suspended and the line of the currently executing SSJS is selected. Variables View - This view tab displays the currently defined variables and any values they may have at the time of the suspension (or "undefined" if no value is assigned).
155
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
You may end your debugging session by pressing the "Terminate" toolbar button in the Debug view:
You may terminate your debug session at any time, and may optionally restart debugging using the steps above at any time. Only one user may debug a server at one time.
156
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Home page
The Home page QuickLinks tab contains a list of working sets, as well as basics tasks, links to additional information, and a tip that refreshes each time the Home page refreshes. The remaining tabs on the Home page include snippets of information to help new users and upgrading users, and provides links to the documentation for more information. You can close the Home page at any time. To reopen it, choose Help > Home.
Domino Designer Home Page Applications Navigator working set toolbar drop down menu
On the Home Page, Domino Designer checks if all of the applications contained within the Applications Navigator are contained within a Working Set. If it is determined that one or more applications are not contained within one or more working sets then Designer reloads the Home Page. During that process it then adds a new "Applications Not in a Working Set" list item to the Home Page. From the Applications Navigator, when you click on the menu button, Domino Designer determines if any of the applications are not in a working set. If it determines that one or more are not, then the newly added "Applications Not in a Working Set" menu item is enabled. Conversely, the same menu item will be disabled if all applications are organized in working sets or if there are no working sets (in which case all applications are not in a working set). When the "Applications Not in a Working Set" feature is enabled, the Applications Navigator only shows applications which are not currently in a working set. The title bar of the Applications Navigator changes to say "Other" and the tool tip will read "Applications Not in a Working Set.". You can add applications which are not currently contained in a working set to a working set. If it is the case that all applications that were not contained in a working set are then added to working sets while "Applications Not in a Working Set" is enabled, the Applications Navigator appears empty and the Home Page is reloaded. This time, however, the "Applications Not in a Working Set" item will not be visible and the "Applications Not in a Working Set" menu item in the Applications Navigator menu will be checked but disabled.
157
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
If you already have existing XPages, you must add a new control to the XPage (via drag and drop from the Controls Palette) in order to enable the new content assist functionality. For this release, content assist only works within tags - that is, it can only be used to autocomplete attribute names within tags.
158
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
159
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Hovering over xpCGIVariables.jss and clicking on the resulting hyperlink in the above example opens the following selected desig
Hyperlink navigation lets you open several different types of design elements based on the value of a control (in the case of custom controls) or based on the value of an attribute (in all other cases).
160
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
161
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Put focus on a control to handle a control event or put focus outside all controls to handle a page event. Click the Events tab. In the left pane, select the event to be handled. In the middle pane, click the Server tab. Click Simple Actions. Add the single action as follows: Select the Send Email simple action. Specify the simple action and its properties, and click OK.
162
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Argument
Description
Send Mail From To Cc Bcc Subject Body (HTML) Body (Plain text)
Send Mail action sends a mail and optionally embeds content in the mail The sender of the email Comma separated list specifying the addresses of the recipients to receive the email Comma separated list specifying the addresses of the recipients to receive a copy of the email Comma separated list specifying the addresses of the recipients to receive a blind copy of the email The subject of the email HTML for the body of the email Plain text for the body of the email
163
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
Argument
Description
The importance flag for the email (possible values: Low, Normal, High) The delivery priority for the email (possible values: None, Only on failure, Confirm delivery, Trace entire path) Boolean value specifying whether to prevent recipients from copying the email Boolean value specifying whether to add a Confidential prefix to the email subject
164
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The following properties are available for this tab. The arguments made available depend on the choice you make for a format. Selecting the JSON format results in JSON data being generated by the XPages runtime for the Embedded Experience.
165
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
JSON:
Selecting the XML format results in XML data being generated by the XPages runtime for the Embedded Experience.
166
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
XML:
Arguments
Description
The format of the data which is generated by the XPages runtime for the Embedded Experience OpenSocial gadget URL to use as a part of the embedded experience The context to be passed to the embedded experience. This is a key value pair. HTML URL to use as a part of the embedded experience with optional parameters, for example: http://myco.com/myxpage.xsp?param1=value1¶m2=value2
167
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
JSON (Advanced)
The Embedded JSON field allows the application developer to enter RAW JSON data which is to be used in the embedded experience.
168
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
XML Advanced
The Embedded XML field allows the application developer to enter RAW XML data which is to be used in the embedded experience.
169
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The Boolean Converter allows the application developer to store a Boolean object of TRUE or FALSE in the data store as opposed to their corresponding string alternatives.
New rowAttrs property was added to the View Panel, File Download, and Repeat controls. New Panel control tagName property was added as support for the proposed new container HTML elements. New Edit Box control type property was added, with runtime checking preventing type="checkbox" or any of the older HTML 4 types.
170
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
XPages is now its own Preferences category Extension Library and Palette Preferences have been added under the XPages category "Show line breaks in editor" preference is now "Show line breaks in design editor" as it refers to the source editor Bubble help preferences and hover help preferences were moved from the Domino Designer preferences panel to the XPages panel/XPages Editor group. New checkboxes and some associated timers for hover help and content assist were added to the XPages panel/XPages Editor group. The timer controls are for hover help only and will be grayed out if the checkbox is unchecked. A new preference lets the user turn auto-indenting on or off in the LotusScript editor, it is located in the General section of the LotusScript Editor Preferences tab. The current default value is that this feature is enabled.
This new context menu item is only enabled when an Application is selected, and the same application is
171
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
already open. The menu item will be disabled when a node in the design element tree is selected. For example, you can see below that a view design element is selected in the active application so the Close Application option is currently disabled.
When selected, the Close Application menu item will close the currently selected application along with closing all design elements from that application that are currently open.
172
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The JAR design element is found in the Application Navigator under Code, right next to the Java element.
There is no need for JARS to have aliases and, as such, they are not supported. The design list for JAR is fairly simple and identical to that for files, with the exception that the Alias column is removed. As the size information of a JAR could be needed, that is included as a Bytes column. Finally, all the New menus have entries for this new element in the list of design elements as well.
173
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
From any of the various ways to create a JAR, you are presented with the following standard Eclipse dialog to choose a file, with the list filtered to include jars. You then select the JAR(s) you need, press Save, and the JAR is then imported into the application.
174
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
When a JAR file is in an application, it is physically present as a single note. The Application Navigator shows it under Code/Jars, which is where you can most easily work with it. J2EE applications, however, expect JAR files to reside under web-inf/lib, so there is an additional virtual projection of the same note to that location as well. This example presents a look at how that would appear in the Eclipse general navigator:
In the above example, the file jsdk.jar appears twice, but it is actually in the NSF only once. This is done to allow ease of use while maintaining proper web application structure. Just as with other file design elements, an Export function is also available and JARS can be signed with the Sign action.
175
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The classpath is adjusted for each JAR in the NSF, so any design time compilations can resolve any references to the jar. The changes to .classpath are not persisted to disk, so that older versions of Designer do not malfunction.
Runtime Considerations
At runtime, the JAR note is expanded into the XPage runtime file system under web-inf/lib, and is available to server JS on an XPage, as well as any Java class referenced in that environment.
Launch Option to Run Server -Based XPages Applications Directly on a Domino server
XPages applications on the Notes client face performance challenges when running applications that reside on remote Domino servers. This occurs because many network transactions must be carried out when executing the XPages application in the Notes client. Because XPages Notes applications run in the local Notes XPD web container, all of the XPages Java classes (XPages and custom controls) must be copied across the network from the remote server to the Notes client to be executed. Similarly, all page resources (CSS, JavaScript, GIFs, etc.) must be fetched from the remote server, as well as the actual data documents. Moreover, if your XPages application leverages other Notes design artifacts (for example, using the computeWithForm feature), then large design elements like forms, subforms, shared fields and so forth must also be fetched remotely. On high latency networks, this can have significant performance impacts, particularly if your application has been designed primarily for the web and not optimized for the Notes client. A new Domino Designer launch option now lets you avoid this situation. The new Notes client launch option is called "Run server-based XPages applications directly on Domino server ." When this option is checked and the application is launched by a Notes user, the XPages runtime is requested to run the application on the Domino server over HTTP. This launch option lets you request that remote applications be run on the Domino HTTP server - just as they are for the web user - and displayed in the Notes XPages container. The advantage to this approach is that a lot of network transactions are eliminated to improve performance. For this request to be honored, a number of conditions must be in place. Primarily, the user must have a Notes HTTP account set up. These accounts can be set up directly on the Notes client or remotely on the Domino server and then provisioned to the Notes client. To create or view Notes accounts select File > Preferences > Accounts in Notes. In attempting to honor the request to the XPages application on Domino, XPages iterates through all the Notes accounts defined in the Notes client installation until it finds an HTTP account that matches the name of the server where the application resides. Once those criteria are met then a Domino XPages URL is constructed and the request is sent to the Domino server and the application then loads in the Notes client. If a matching account is not found or if the request to the server cannot be serviced (e.g. some other incorrect account detail) then you will be prompted to close the application window or to revert to running the application using the local Notes web container.
176
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The Notes Accounts framework and the underlying XULRunner browser automatically passes the user credentials to the web server for automatic authentication. Thus the user should not be challenged for authentication. If you are prompted for user name and password then the runtime Notes/Domino configuration is not correctly set up (for example, incorrectly configured Domino SSO). However, you should be able to verify this independently of XPages by simply entering a URL to the application via the Notes browser address widget on the Notes toolbar. When running an application on the Domino server within the Notes client, all custom Notes functionality should function as it does when running in native XPages mode. For example, context menus should behave the same (File > Save, File > Replication, Open in Designer, etc), "dirty" document save, client-side JavaScript functions. etc). One exception is that composite applications will not be able to utilize client property broker functionality when running on the server. You can also bypass setting this option in Domino Designer by setting a NOTES.INI feature, as follows: XPagesRunRemoteAppsOnServer=1 This setting will be applied to all XPages applications, not individual applications.
XPages / Programmability
New Calendaring and Scheduling (C&S) back end classes
For this release, a framework and first set of methods will be available for a Java API exposing Domino calendar and scheduling functionality. These provide the ability to create, read, update, and remove calendar data in a personal mailfile using standardized iCalendar (RFC 5545) data format. They also allow explicit calendar actions on calendar entries and notices (accept, decline, cancel, etc). Note: iCalendar allows for the capture and exchange of information normally stored within a calendaring and scheduling application; such as a Personal Information Manager (PIM) or a Group-Scheduling application product. The iCalendar format is suitable as an exchange format between applications or systems. The format is defined in terms of a MIME content type. This lets the object to be exchanged use several transports, including but not limited to SMTP, HTTP, a file system, desktop interactive protocols such as the use of a memory-based clipboard or drag/drop interactions, point-to-point asynchronous communication, wired-network transport, or some form of unwired transport such as infrared. The purpose of these initial classes and methods is to provide a basis for exploring development possibilities and for building small, simple calendar and scheduling prototype applications without needing to be fully versed in the internals of Notes Calendar and Scheduling. Note on additional documentation : The XPages JavaScript reference includes documentation for the new NotesCalendar, NotesCalendarEntry, and NotesCalendarNotice classes. This documentation also includes syntax and examples for the corresponding LotusScript and Java classes. Click Help - Help Contents and look under IBM Domino Designer XPages Reference - Domino. The following new classes were added:
z z
NotesCalendar NotesCalendarEntry
177
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
The following summarizes the new methods that were implemented for these classes:
z
Session.getCalendar
NotesCalendar z NotesCalendar.getEntry z NotesCalendar.createEntry z NotesCalendar.readRange NotesCalendarEntry z NotesCalendarEntry.read z NotesCalendarEntry.update z NotesCalendarEntry.remove Note: Trying to use any of the methods displayed in Designer that are not yet implemented will cause a "NotImplemented" exception to be thrown.
178
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
NotesCalendarEntry .read Returns the iCalendar string representing this calendar entry. If recurID is specified for a recurring entry, returns the iCalendar string for just that occurrence. recurID is expected to be a string representing the data/time that a particular instance was originally schedule at, formatted like an iCalendar RECURRENCE-ID. For example: "19960120T120000Z". See RFC 5545, section 3.8.4.4. String read() throws NotesException String read(String recurID) throws NotesException NotesCalendarEntry .update Given an iCalendar string (iCal) properly formatted according to RFC 5545, updates this calendar entry by passing in iCalendar. For recurring meetings, this is only currently supported for individual instances and the iCalendar input must contain a single VEVENT that specifies the appropriate instance with a RECURRENCE-ID, as defined in RFC 5545. If no comments are specified, this will NOT send notices even if this is a meeting. If this is a meeting where the mailfile owner is the organizer, appropriate notices will be sent, including the comments provided. Currently, any provided comments are ignored. void update(String iCal) throws NotesException void update(String iCal, String comments) throws NotesException NotesCalendarEntry .remove Removes (deletes) a calendar entry from the mailfile. If recurID is specified, then only that occurrence is removed. If this calendar entry is a scheduled meeting, it will be properly cancelled or declined, and appropriate notices will be sent to the organizer or participants. The version remove(recurID) will be changed to remove(recurID, scope) prior to the gold version of this software. void remove() throws NotesException void remove(recurID) throws NotesException
179
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
For Calendar & Scheduling, the JavaScript API is documented in the IBM Domino Designer XPages Reference under the Domino classes section. The new classes documented are NotesCalendar, NotesCalendarEntry, and NotesCalendarNotice. Also, by scrolling down in any of these JavaScript topics, you will find syntax information and sample code for the other interfaces (Java, LotusScript).
DXL problem: In DXL Export, when inconsistent data is encountered, an error/warning is issued, and the data is written as rawitemdata vs readable entities. Example of warning: warning: Inconsistent data encountered (noteid 1706; item fieldRichText; cd #16(4); note 0x1706) warning: Writing data as rawitemdata element due to previous warning
Facets are now visible - Facets (and their children) are now visible in the XPages Design Editor. Work done to address SPR.
XPages Extension Library control event handler added - An event handler has been added to XPages Extension Library controls. This is a fix to a widely reported issue in 8.5.3 in which the event handler was given the wrong prefix. This has been fixed for 8.5.4.
Related SPR# DEGN8LFE64: Event Handler namespace changes when added to controls from Extension Library
z
Related SPR# MLED8MDHXU: java design elements with underscores in the name do not function correctly
z
Java design element naming issue resolved- In a previous release, Java design elements with underscores in the name did not function correctly. This issue has been resolved.
Issue with Source Control when using Application icons - When using the Source Control enablement feature, if the application contains a new Application Icon (rather than the default application icon), the icon will be lost when synchronized with source control. As a workaround, you will need to re-add the icon to the application using Resources->Icon editor.
When using the Domino blog template, images are lost or broken when a post is viewed in a browser - In this release, creating documents with images works fine. You can paste in a graphic or HTML code, and it looks correct in the Notes client. When accessing the post via browser, however, the images break and the HTML code doesn't pass through. As a workaround to this issue, refresh the template.
180
IBM Notes, Domino, Domino Designer 9.0 Social Edition Public Beta
Release Notes
XPages
z
IMPORTANT: Users with any previous installations of any OpenNTF Extension Library - You must UNINSTALL any OpenNTF Extension Library that you may have installed in the Notes client BEFORE you install the Social Edition Beta. Widget publishing issue - Publishing a widget fails and causes a "Cannot find class com.ibm.rcp.toolbox.template.converter.PlatformConverter in nsf" exception in the widget catalog. After obtaining a new toolbox from a new build, replacing the design, and then opening the Widget Catalog in Designer to enable the agent, the publishing of the widget causes a "Cannot find class com.ibm.rcp.toolbox.template.converter.PlatformConverter in nsf" exception. Possible cause: If you have opened the Widget Catalog in Designer before, the classpath information for PlatformConverter may sometimes be missing.
Workaround: As a workaround for this issue, use the following steps to manually add the missing class path information and then rebuild the Widget Catalog. 1) Open the Widget Catalog in Designer, by right-clicking on the Widget Catalog and selecting Project Properties. 2) Select Java Build Path and click the "Add Folder..." button on the Source tab. 3) Add the source folder under WebContent/WEB-INF/. 4) Rebuild the project.
z
XPages rendering issue corrected - XPages previewed in the Notes client now render correctly after the local preview server port number is changed.
Related SPR# MLED8MRQRX: Reviewing xpage in client fails if http preview port changed
z
Issue with SpellCheck button in the CKEditor - The SpellCheck button in the CKEditor in XPages in the Notes Client does not work. There is no workaround.
Issue with Simple Mail Action - Having more than one recipient in the To CC or BCC field causes the Send Mail simple action to fail. To avoid this, use a group to send a mail to multiple recipients.
Issue with OneUIV3.0.2 theme and Date Time Picker helper control in Internet Explorer - A problem occurs when using the Date Time Picker helper control with the OneUIV3.0.2 theme with the aggregator turned on Internet Explorer browsers. In such cases, the Date Time Picker helper control will not display as expected. Dates and times can still be entered and edited but the input control will be missing the helper along with other styling issues. A workaround for this is to turn off the aggregator. Related SPR#s PHAN8Z7KVW and PHAN92ULF3
181