BETA IBMiNotes9.0SocialEdition Administration Beta Help ... › blogslug.nsf › dx › inotes90_social_edition_beta_admini… · Chapter 1. Product overview Learn about new features

IBM iNotes Social Editon 9.0

BETAIBM iNotes 9.0 Social EditionAdministration Beta HelpDecember 13, 2012

��

Public Beta Edition (December 13, 2012) This edition applies to IBM® iNotes® and IBM Domino® 9.0 Social Edition, and to all subsequent releases and modifications, until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1994, 2012. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Chapter 1. Product overview . . . . . . 1What's new in this release . . . . . . . . . . 1Administering iNotes . . . . . . . . . . . 5

iNotes ultra-light mode . . . . . . . . . . 6

Chapter 2. Getting started with iNotes 11Installing and setting up iNotes. . . . . . . . 11Setting up iNotes on a server . . . . . . . . 11Using Domino Off-Line Services (DOLS) and iNotes 12Registering iNotes users . . . . . . . . . . 12

Enabling the mail usage indicator in iNotes . . 13Providing a log-on URL for iNotes users . . . . 13Using ID vault with iNotes . . . . . . . . . 14Using an HTTP-proxy servlet to restrict URLs toexternal servers . . . . . . . . . . . . . 15Using realm documents in iNotes . . . . . . . 17Using iNotes Redirect to access mail in iNotes. . . 17

Setting up iNotes Redirect . . . . . . . . 18Using iNotes Redirect with portal views. . . . 18Using iNotes Redirect . . . . . . . . . . 18Using the new DWALoginForm . . . . . . 18

Setting up archiving using policies andconfiguration settings . . . . . . . . . . . 19

Configuring archiving for all users on a server . 19Configuring archiving on an individual basisusing mail policy settings. . . . . . . . . 19Using archive policy settings . . . . . . . 19Enabling action menus in the mail archive . . . 20

Creating a URL for an iNotes portal . . . . . . 20Allowing pass-through of HTML . . . . . . . 21

Chapter 3. Configuring iNotes . . . . . 23Creating mail policy settings for iNotes users . . . 23

Showing the unread count on folders. . . . . 23Enabling scroll hints . . . . . . . . . . 23Setting up automatic refresh for the Inbox . . . 24Enabling RSS feeds for iNotes . . . . . . . 24Using widgets in iNotes . . . . . . . . . 25Preventing users from requesting a return receipt 31

Creating security policy settings for iNotes users . . 31Desktop policy settings supported in iNotes . . . 35

Chapter 4. Editing the configurationsettings document for iNotes . . . . . 39Secure mail for iNotes . . . . . . . . . . . 46Adding a disclaimer to outgoing iNotes messages 47Configuring alternate name support in iNotes . . . 48

To allow users to display alternate names in thelanguage of their choice . . . . . . . . . 48To allow users to view alternate names in thelanguages set by the server . . . . . . . . 49

Using browser cache management . . . . . . . 49Setting up browser cache management . . . . 49

Making calendar details available to all users . . . 50Making Notes links work in iNotes . . . . . . 50

Setting a maximum attachment size . . . . . . 51

Chapter 5. Specifying notes.ini filesettings for iNotes. . . . . . . . . . 53Setting up type-ahead . . . . . . . . . . . 53Using prefetch for documents . . . . . . . . 53Enabling Web-style search . . . . . . . . . 54Allowing users to take the Domino directory offline 54Disabling the Active Content Filter . . . . . . 54Setting the level of automatic cache clearing . . . 54Redirecting users to a Web page after logout . . . 55Specifying the number of names to return . . . . 55Using GZIP to improve iNotes performance . . . 55

iNotes_wa_GZIP_Disable . . . . . . . . . 56iNotes_wa_GZIP_Content_Types_Included . . . 56iNotes_wa_GZIP_Content_Types_Excluded . . . 56

Enforcing two-digit years in a calendar . . . . . 56Enabling days in work week calendar display . . . 56Enabling or disabling the secondary calendar . . . 57Enabling a whitelist of acceptable file types. . . . 57Using notes.ini file settings for iNotes in a mixedenvironment . . . . . . . . . . . . . . 58Preventing users from acknowledging a request fora return receipt on iNotes incoming mail messages . 58

Chapter 6. Monitoring and Maintaining 61Monitoring iNotes activity . . . . . . . . . 61

Activity Log Information . . . . . . . . . 61Renaming an iNotes user . . . . . . . . . . 61Using GZIP to improve iNotes performance . . . 62

iNotes_wa_GZIP_Disable . . . . . . . . . 62iNotes_wa_GZIP_Content_Types_Included . . . 62iNotes_wa_GZIP_Content_Types_Excluded . . . 63

Notes.ini file settings used when integrating iNoteswith IBM Docs . . . . . . . . . . . . . 63Notes.ini file settings used when integrating iNoteswith Connections Files. . . . . . . . . . . 64

Chapter 7. Integrating with otherapplications . . . . . . . . . . . . 67Setting up Quickr integration with iNotes . . . . 67

Enable Quickr integration . . . . . . . . 67Set up an HTTP-proxy servlet . . . . . . . 67Set up session-based authentication . . . . . 67Specify user-friendly names for URLs . . . . 68User notes . . . . . . . . . . . . . . 68

Setting up iNotes with Sametime . . . . . . . 68Set up iNotes on a Domino server . . . . . . 69Set up the Sametime server . . . . . . . . 69Create connection documents . . . . . . . 69Specify the Sametime server for iNotes users . . 70Set up the Instant Contact List in iNotes. . . . 70Set up Domino Web SSO authentication betweenthe iNotes server and IM server . . . . . . 71Verify that instant messaging works with iNotes 72

© Copyright IBM Corp. 2012, 2013 iii

Setting up Sametime and iNotes in differentdomains . . . . . . . . . . . . . . 73Setting up Secrets and Tokens authentication forinstant messaging in iNotes . . . . . . . . 74Using iNotes with Sametime and the Sametimeproxy server . . . . . . . . . . . . . 75Troubleshooting Sametime in iNotes . . . . . 75

Integrating Connections files with iNotes . . . . 77Integrating iNotes with IBM Docs . . . . . . . 79

Chapter 8. Customizing iNotes . . . . 81Customizing the look of iNotes . . . . . . . . 81

Creating an extension forms file . . . . . . 82Modifying the iNotes common forms file . . . 82

Enabling external calendars in iNotes. . . . . . 82Updating the forms file without a server restart . . 83Using iNotes agents . . . . . . . . . . . 83

Creating the agents . . . . . . . . . . . 84Example . . . . . . . . . . . . . . 84

Chapter 9. Administering the DominoSocial Edition Open Social component . 85Configuring the widget catalog application . . . . 85

Creating a widget catalog. . . . . . . . . 86Configuring ACLs and roles in the widgetcatalog . . . . . . . . . . . . . . . 86Enabling agents in the widget catalog . . . . 87Setting launch options for the widget catalog . . 89Configuring widgets for specific Social Editionclient releases. . . . . . . . . . . . . 89Setting iNotes preferences . . . . . . . . 90

Locked domains . . . . . . . . . . . . . 91Configuring locked domains. . . . . . . . 92Adding a wildcard record to a DNS server . . . 93

Setting up the Domino server to run the DominoSocial Edition Open Social component and Shindig . 93

Creating the credential store application on theserver running Shindig . . . . . . . . . 93

Configuring the credential store application forDomino Social Edition Open Social component . 94Creating a configuration settings document forall servers that run Shindig . . . . . . . . 94

Configuring Domino Social Edition Open Socialcomponent for iNotes clients . . . . . . . . 96

Configuring server session authentication . . . 96Configuring automatic updates for widgets. . . 96Creating policies for Domino Social Edition OpenSocial component . . . . . . . . . . . 97Using notes.ini file settings to enable widgets,embedded experiences, live text and OpenSocialfeatures. . . . . . . . . . . . . . . 99

Widgets created from an OpenSocial gadget . . . 99Approving a widget created from an OpenSocialgadget. . . . . . . . . . . . . . . 101Editing an approved widget . . . . . . . 106Editing proxy settings for an approved widget 107Adding proxy settings to an approved widget 109Removing a proxy rule and its settings from anapproved widget . . . . . . . . . . . 109Removing all proxie settings from a widget . . 110Removing approval for a widget . . . . . . 110Modifying OAuth data after widget approval 110

Chapter 10. Configuring secure Webfederated login for iNotes using SAML 115Supporting federated login on the iNotes client . . 115

Deploying the ID vault and security policy forWeb federated login . . . . . . . . . . 116Enabling the Domino Web server that runsiNotes to provide SAML authentication. . . . 117Configuring the ID vault for Web federatedlogin . . . . . . . . . . . . . . . 122Using a security settings policy to apply a Webfederated login configuration to client users . . 123Setting up the SAML identity provider andfederation . . . . . . . . . . . . . 124

iv IBM iNotes 9.0 Social Edition Administration Beta Help: December 13, 2012

Chapter 1. Product overview

Learn about new features in this version of IBM® iNotes®, supported hardware andsoftware, and accessibility features.

What's new in this releaseIBM iNotes 9.0 Social Edition delivered a number of new features and functionalityin the IBM Domino® 9.0 Social Edition release.

Features added to the iNotes 9.0 Social Edition release

Configuring Domino Social Edition Open Social component for iNotes clientsIBM Domino Social Edition Open Social component 9.0 adds social and webfeatures to make third-party processes available directly in the client user'smail. Domino Social Edition Open Social component 9.0 supports:v IBM iNotes Widgets and LiveTextv OpenSocial 2.0 Gadgets in the sidebar, pop-ups, and anywhere IBM Notes®

and iNotes previously made widgets availablev Embedded Experiences in Notes and iNotes

The Open Social component is deployed and configured on two servercomponents: a Domino mail server, and another Domino server runningShindig, both with the Open Social component installed. In addition, theDomino mail server supports iNotes and hosts the widgets catalog, and theDomino server running Shindig hosts the credential store application.

For more information on installing and configuring the Open Social componenton your Domino server, see What’s New for IBM Domino in the Notes andDomino wiki.

Several configuration changes are required to support Domino Social EditionOpen Social component features in iNotes. See the IBM iNotes Administrationproduct documentation in the Notes and Domino wiki for more information.http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

Server notes.ini file parameters for Domino Social Edition Open Socialcomponent

There are new notes.ini file parameters on the Domino server for enablingaspects of the Open Social component.

Note: These settings have no effect on the Notes or iNotes client unless theOpen Social component is installed.

Table 1. Notes.ini file parameters for Domino Social Edition Open Social component,Related to iNotes clients. Table shows parameters and acceptable values, followed by adescription.

ParameterAcceptableValues Description

iNotes_WA_EnableEE

Default Value = 1

0|1 Set to 1 to enableEmbedded Experiences iniNotes. The default is 1.

© Copyright IBM Corp. 2012, 2013 1

Table 1. Notes.ini file parameters for Domino Social Edition Open Social component,Related to iNotes clients (continued). Table shows parameters and acceptable values,followed by a description.


iNotes_WA_Widgets_AutoUpdate_Group

Default Value = N/A

Name of aDomino group

Sets a directory group namethat is used during iNotesWidgets automatic update;all members of the grouphave auto update run forthem.

iNotes_WA_Widgets_AutoUpdate_Min -OR-iNotes_WA_Widgets_AutoUpdate_Day

Default Value = 0

A number The interval for iNotesWidgets automatic update.Default is 0 (never runs).iNotes_WA_Widgets_

AutoUpdate_Day=1 isrecommended.

iNotes_WA_FormsFiles

Default Value = iNotes/Forms9.nsf

Path to aforms file; forexample:iNotes/Forms9.nsf

Instructs iNotes to use aDomino Social EditionOpen Social componentforms file instead of thedefault file.

iNotes_WA_DefaultFormsFile

Default Value = iNotes/Forms9.nsf

Path to aforms file; forexample:iNotes/Forms9.nsf

Instructs iNotes to use aDomino Social EditionOpen Social componentforms file as the default file.

Table 2. Notes.ini file parameters for Domino Social Edition Open Social component,Related to OAuth protocol use in Notes and iNotes clients . Table shows parametersand acceptable values, followed by a description.


SocialOAuth2ClientCacheSize

Default Value = 20

A number > 0 Sets the size (number ofobjects) of the least recentlyused cache of OAuth2 clientinformation.

SocialOAuth2TokenCacheSize

Default Value = 1000

A number > 0 Sets the size (number ofobjects) of the least recentlyused cache of OAuth2tokens.

SocialOAuth2AccessorCacheSize

Default Value = 100

A number > 0 Sets the size (number ofobjects) of the least recentlyused cache of OAuth2accessor objects. Theseobjects are used forin-progress OAuthauthentication processes.

SocialOAuth10aClientCacheSize

Default Value = 20

A number > 0 Sets the size (number ofobjects) of the least recentlyused cache of OAuth 1.0aclient information.

2 IBM iNotes 9.0 Social Edition Administration Beta Help: December 13, 2012

Table 2. Notes.ini file parameters for Domino Social Edition Open Social component,Related to OAuth protocol use in Notes and iNotes clients (continued). Table showsparameters and acceptable values, followed by a description.


SocialOAuth10aTokenCacheSize

Default Value = 1000

A number > 0 Sets the size (number ofobjects) of the least recentlyused cache of OAuth 1.0atokens.

Table 3. Notes.ini file parameters for Domino Social Edition Open Social component,Related to gadgets. Table shows parameters and acceptable values, followed by adescription.


SocialCapabilitiesRefreshInterval

Default Value = 60

A number > 0 Interval in minutes atwhich to check for updatesto gadget capabilities inorder to refresh the cachedinformation; 0 or lessdisables the refresh check.

SocialOAuthRefreshInterval

Default Value = 60

A number > 0 Interval in minutes atwhich to check for updatesto OAuth clientinformation; 0 or fewerdisables the refresh check.

SocialProxyRefreshInterval

Default Value = 60

A number > 0 Interval in minutes atwhich to check for updatesto proxy configurationrules; 0 or fewer disablesthe refresh check.

Using a credential store to share credentialsIn the Open Social component, the on-premises Domino server can use acredential store application, credstore.nsf. The credential store is a securerepository for document encryption keys and other tokens necessary for Notesand iNotes client users to grant access to applications that use the OAuth(open authorization) protocol. OAuth allows user credentials to be shared withcompliant applications so that users avoid extra password prompts.

Note: In combination with new Social Edition Open Social componentconfiguration and deployment, a credential store allows Domino to supportembedded-experience applications designed using the OpenSocial 2.0 standardand the Apache Shindig container.

If your Notes or iNotes client users run Domino Social Edition Open Socialcomponent, a credential store provides the following benefits:v iNotes users accessing their mail are protected from cross-site referral

forgeries across a cluster.v iNotes users can authorize a Domino server application to access their

resource data on an OAuth-compliant Web site without additional passwordprompts.

Chapter 1. Product overview 3

In addition, you can centrally store OAuth consumer keys and secretinformation without requiring any insecure distribution of documentencryption keys.

After you have created the credential store, you use it to store centrally theconsumer key and secret that you create whenever you configure a Dominoserver application to access the Web using the OAuth protocol, as well as theaccess token generated when a Notes or iNotes user authorizes the Dominoapplication for access to his or her data on an OAuth-compliant Web site.

Configuring widgets for specific IBM Notes 9.0 client releasesIn Notes 9.0, the widget catalog administrator can use the Platform field inwidget catalog documents to control which widgets in a category of widget aredeployed to users. This feature is enabled by default on iNotes clients. ForNotes clients you need to enable a preference to use this feature.

If a desktop settings policy is set up to push a widget catalog server, widgetcatalog application name, and widget categories to install to the users of thepolicy, the Platform field on the Notes and iNotes Social Edition Open Socialcomponent-only clients determines whether the widgets in the category shouldbe installed on the specific client and release.

OpenSocial widgets should be installed only on Notes and iNotes 9.0 or laterclients. To install such widgets properly, set the Platform field to Notes 9.0and, if you have iNotes client users, iNotes 9.0. Do not leave the field empty.

iNotes integration with IBM DocsIntegrating iNotes with IBM Docs provides iNotes users the ability to viewdocuments with IBM Docs. You can allow users to view all supporteddocument file types or you can specify which of the supported file types usersare allowed to view with IBM Docs. The supported document types are xls,odt, xlsx, docx, pptx, ods, odp, and ppt.

iNotes integration with IBM Connections filesYou can make file sharing easier for iNotes users by specifying mail policysettings that save network resources and improve efficiency by integratingiNotes with Connections files. As an alternative to sending attachments, userscan insert links to files that have been uploaded to Connections. Wherepossible, the files that are being linked to are shared with the recipients at sendtime. Users can upload received attachments to Connections Files and thenremove the attachment from the email and replace it with a link to the newlyuploaded file to save space in their mail file. Connections 3.6 and more recentversions are supported for integration with iNotes.

Return receipt generation controlYou can set a server notes.ini file parameter to show or suppress a promptfor iNotes client users that appears by default. The prompt lets the user choosewhether to acknowledge a request for a return receipt on an incomingmessage. If you do not set the notes.ini file parameter, the prompt alwaysappears when the user receives such a request.v iNotes_WA_SendReturnReceipt=2 Displays a prompt giving the iNotes user

the choice whether to acknowledge a request for a return receipt.v iNotes_WA_SendReturnReceipt=1 Always sends a return receipt; does not

notify the user.v iNotes_WA_SendReturnReceipt=0 Never sends a return receipt; does not

notify the user.


Administering iNotesIBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

iNotes users can send and receive mail, view their calendars, invite people tomeetings, create to do lists, keep a notebook, and work offline. After being set upfor iNotes, a user can use both the standard Notes client and a Web browser toaccess their mail files. Because both the Notes client and iNotes operate on thesame underlying user mail file, read and unread marks remain up-to-date,regardless of which client they use to read their mail. Users can also synchronizecontact information in their Notes Contacts with information in their iNotescontacts list.

While users simply need a name and Internet password to log on and use iNotes,a Notes ID is required if a user wants to work offline. Be sure to create a Notes IDfor each user when registering new users with the iNotes mail template.

iNotes includes two modes: full mode and ultra-light mode. The full mode, aspreviously described, provides a full set of features including mail, calendar,notebook, contacts, and to do list. The ultra-light mode is designed for use on amobile device and is initially supported on the Apple iPhone or iPod touch.Ultra-light mode is also the accessible mode, available on Microsoft Windowsoperating systems (Win32) using Mozilla Firefox 3.0 or later.

Security

iNotes requires user log-on and logout security. When a user logs on, they mustenter their name and Internet password, as specified in their Person document. Thelogin names that the server accepts as valid depend on the setting in the Internetauthentication field on the Security tab of the Server document.

When the user logs out, iNotes closes the browser and removes the user's log-oncredentials and private data from the browser's cache. By deleting this data,unauthorized users are prevented from using cached information to access theuser's mail file. In Internet Explorer, you can use Browser Cache Management toimprove the client side performance and security of iNotes sessions by controllingwhich entries are stored in the cache and which are removed when the sessionends. The removal of private data from the browser's cache and more secure dataclearing capabilities are available only if the user accepts the iNotes control.

iNotes will not remove some personal data unless the user explicitly selects Logoutfor Shared PCs or Kiosk Users. With this selection, users can choose one of twosecure logouts:v Secure - This option deletes all traces of the user's personal use of iNotes and

any Web pages that they have browsed, but keeps iNotes program elementswhich boosts performance when the next person logs on.

v More secure - This option deletes all traces of iNotes and all other Web pages inthe temporary Internet files folder.

You can also redirect users to a specific Web page after they logout.


Integration with DOLS, Sametime®, Connections, and IBM Docs

To provide users with the ability to work offline and use IBM Sametime you canintegrate iNotes with Domino Off-Line Services (DOLS) and Sametime (instantmessaging). DOLS enables users to work offline, disconnected from the network,and provides many replication features that Notes users expect when working inthe Notes client. Sametime provides integrated, real-time chat features for iNotesusers. Neither DOLS nor Sametime are required for iNotes use.

You can make file sharing easier for iNotes users by specifying mail policy settingsthat save network resources and improve efficiency by integrating iNotes with IBMConnections Files. As an alternative to sending attachments, users can insert linksto files that have been uploaded to Files.

Provide iNotes users the ability to view documents with IBM Docs. You can allowusers to view all supported document file types or you can specify which of thesupported file types users are allowed to view with IBM Docs.Related concepts:“Setting up iNotes on a server” on page 11IBM iNotes provides IBM Notes users with browser-based access to Notes mail, aswell as Notes calendar and scheduling features. Using iNotes, a user can send andreceive mail, view the calendar, invite people to meetings, create to do lists, keep anotebook, and work off line.“Using Domino Off-Line Services (DOLS) and iNotes” on page 12To provide IBM iNotes users with the ability to work off line, enable IBM DominoOff-Line Services (DOLS) when you set up the server. DOLS enables users to workoff line, disconnected from a network, and provides many replication features thatIBM Notes users expect when working in the Notes client.Related tasks:“Registering iNotes users” on page 12When registering IBM iNotes users, select iNotes for your mail system, and theMAIL85.NTF mail template. This template contains mail template support for boththe iNotes client and the IBM Notes client.“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.“Using browser cache management” on page 49Use browser cache management to improve client side performance and security ofIBM iNotes sessions on Internet Explorer by controlling which entries are stored inthe cache and which are removed when the iNotes session ends.Related information:

Controlling the level of authentication for Internet clients

iNotes ultra-light modeThe ultra-light mode of IBM iNotes is designed for use on a mobile device. It isalso the accessible mode available on Microsoft Windows operating systems(Win32) using Mozilla Firefox 3.0 or later.

Ultra-light mode provides basic mail and contacts capabilities, along with aday-at-a-glance calendar. Using iNotes ultra-light, with one touch users can viewtheir iNotes Inbox, Contacts, or Day-at-a-glance Calendar.


http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_CONTROLLING_LEVEL_OF_AUTHENTICATION_FOR_WEB_CLIENTS_STEPS.html

As with other modes of iNotes, the ultra-light mode includes the Active ContentFilter to reduce the risk of encountering dangerous script in HTML, and browsercache management to store only UI components, but no personal information inthe cache. Ultra-light mode also supports the use of reverse proxies and iNotesRedirect for login. You can also use security products, such as the IBM Tivoli®

Access Manager (TAM).

iNotes ultra-light is supported on the Apple iPhone or Apple iPod touch. Andbecause it is entirely browser based, there are no additional space or memorydemands on your device. iPhone users are directed to the ultra-light UI by defaultwhen using the URL to their mail file.

To view the accessible mode of iNotes on Windows, users enter the URL addressof their server in the browser using the following format, for example:http://<server.domain>/<mailfile path>/?OpenDatabase&ui=inotes_ulite

Alternatively, you can use iNotes Redirect, so that users do not need to know thename of their mail file and mail server, they need only know the name of theiNotes Redirect server. Using either address, users are prompted to log in usingtheir iNotes user name and password, after which the Home view opens bydefault.

It is recommended that you use IBM Domino HTTP Session Authentication withthe iNotes Redirect Application for authentication of ultra-light mode users. Due tolimitations of the iPhone and iPod touch, it is not possible for end users to closethe last running instance of the browser unless they reset the device. Because ofthis, basic authentication credentials cached in the Browser cannot be cleared,which could pose a security risk.Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Features supported in iNotes ultra-light modeThe ultra-light mode of IBM iNotes supports mail, calendar and contacts features.

This table is an overview but not necessarily a complete list of the featuressupported in iNotes ultra-light mode.


Table 4. Features supported in iNotes ultra-light mode

Area Description

Mail Features available when viewing mail:

v View the iNotes mail using these views:Inbox, Sent, Trash, All documents

v Refresh the view

v View the unread count for the Inbox

v Message indicators: urgent message,message type, unread flag, attachments,recipient indicator, replied to, forwarded

v Trash view includes ability to empty trashand to restore from trash

Features available when navigating mail:

v Navigate to the next or previous set ofmessages

v From an open message, ability to navigateto the next or previous message, or deleteand then navigate to the next or previousmessage without returning to the view

Features available when reading andresponding to mail:

v Mark a message as read or unread

v View rich text messages with embeddedimages

v Open and reply to messages and forwardmessages in plain text (including historyand attachments)

v Download attachments on computer; viewattachments on device (if file type issupported by the device)

Features available when composing mail:

v Compose and send new messages usingplain text

v Validate and expand e-mail addresses

v Address picker available

v Type-ahead addressing for recently usede-mail addresses

Features available when managing mail:

v Use view management to supportselection of multiple documents, add orremove a follow-up flag, mark a messageread or unread, restore a message fromTrash

v Support plain text signature preference setin full mode

v Support follow-up quick flag usingpreferences set in full mode


Table 4. Features supported in iNotes ultra-light mode (continued)

Area Description

Contacts Features available when viewing contacts:

v View a list of the iNotes contactsalphabetically by name

v Open and read a personal or groupcontact record

v Open a contact record from the addresspicker

v Contact information includes mobile andbusiness phone and the primary e-mailaddress

Features available when creating contacts:

v Use a single touch to create a newmessage or dial the phone number fromyour contacts list or an open contact

v Create a new personal contact record; editexisting personal contact records

v Create a quick contact using basicinformation only


Table 4. Features supported in iNotes ultra-light mode (continued)

Area Description

Calendar Features available when viewing yourcalendar:

v View iNotes calendar entries for a day

v View unprocessed invitations in Calendarview if user preference Display new(unprocessed) notices is set

v Refresh the view

v Location and time zone information isdetected automatically

v For IBM Notes users, if Calendarpreferences are used to assign colors todifferent event types, those colors arereflected here

Features available when navigating yourcalendar:

v Ability to navigate to the next or previousday's events

v Ability to navigate to a specific date usinga date picker

v Jump to "today" when another day isdisplayed

Features available when managing yourcalendar:

v Open and read calendar entries

v Accept or decline meeting invitations

v Support automatic processing of meetinginvitations preference set in full mode

v For accepted meetings, automaticallyapply accepted updates and rescheduleinformation

v Provide status information in Availabilityand Update fields

Disabling ultra-light modeYou can disable IBM iNotes ultra-light mode using a notes.ini file setting.

About this task

If you are in a mixed environment, this setting also works for earlier versions ofiNotes.

Procedure

To disable ultra-light mode, set the notes.ini file variableiNotes_WA_Ultralight=0. The default is 1 (enabled). In releases prior to 8.5.1, thissetting was spelled differently, iNotes_WA_Ultralite.


Chapter 2. Getting started with iNotes

After installing and configuring IBM Notes and enabling IBM iNotes, there areseveral tasks you as an administrator can perform to enable users to get up andrunning with iNotes.

Perform these tasks in the order they are presented:

Installing and setting up iNotesWhen you install the IBM Domino server, all the infrastructure is put in place forIBM iNotes. During the server setup process of the Domino server installationprocess, be sure to choose Web Browsers (HTTP Web services) to enable iNotesfeatures and functionality and register users with the Mail (R85) (MAIL85.NTF) mailtemplate.

If you want to give users the ability to work offline, also choose Domino Off-LineServices (DOLS) during installation although DOLS is not required to run iNotes.You can upgrade a server running the latest maintenance release of a shippedversion of Domino. If you upgrade, be sure to manually refresh the design of theDomino Directory. For instructions on installing the Domino server, see the topicsin the IBM Notes and Domino wiki at http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation.

Domino administrators can use administrative policies to set or to enforce mail andsecurity settings for iNotes users. In addition, any existing policies assigned toiNotes users prior to this release are enforced. To create and assign policy settingsto an iNotes user requires both policy settings documents and a policy document.

In a policy settings document, you determine a set of defaults that you want toassign to users. These settings can either lock down certain preferences or enforceadministrative settings. A policy document points to the specific settingsdocuments you have created. You use a policy document to assign the policysettings to one or more groups of users.

Setting up iNotes on a serverIBM iNotes provides IBM Notes users with browser-based access to Notes mail, aswell as Notes calendar and scheduling features. Using iNotes, a user can send andreceive mail, view the calendar, invite people to meetings, create to do lists, keep anotebook, and work off line.

To set up IBM iNotes, select Web Browsers (HTTP Web services) during serversetup. To allow users to work off line, enable IBM Domino Off-Line Services(DOLS). DOLS is not required to run iNotes.

Note: Do not use special characters in the domain name; for example, specifyRenovationsProduction instead of Renovations.Production.

Specify the fully qualified domain name (FQDN), such as renovations.ibm.com, onthe Basics tab of the server document.


Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.Related tasks:“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.

Using Domino Off-Line Services (DOLS) and iNotesTo provide IBM iNotes users with the ability to work off line, enable IBM DominoOff-Line Services (DOLS) when you set up the server. DOLS enables users to workoff line, disconnected from a network, and provides many replication features thatIBM Notes users expect when working in the Notes client.

Users require a Notes ID so that DOLS can synchronize the offline mail file withthe server. The default DOLS configuration prompts the user for a Notes ID thefirst time they go offline with iNotes.

If you rename a user, the user must reinstall the DOLS offline subscription in orderfor the offline mail file to synchronize with the server. After a name change, theuser must wait for the old Notes ID and password to stop working, accept thename change using a Notes client, then log on to iNotes with the new Notes IDand password.Related concepts:“Setting up iNotes on a server” on page 11IBM iNotes provides IBM Notes users with browser-based access to Notes mail, aswell as Notes calendar and scheduling features. Using iNotes, a user can send andreceive mail, view the calendar, invite people to meetings, create to do lists, keep anotebook, and work off line.Related tasks:“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.

Registering iNotes usersWhen registering IBM iNotes users, select iNotes for your mail system, and theMAIL85.NTF mail template. This template contains mail template support for boththe iNotes client and the IBM Notes client.

About this task

Follow the instructions for registering new users, and keep the followinginformation in mind:v The mail system, iNotes, does not automatically create a Notes ID for the

person. Select Create a Notes ID for this person.v When deploying iNotes to a large number of users, make any hierarchical or

name changes before registering new users.v To enable the mail usage indicator for users, set a mail quota.


Related tasks:“Configuring alternate name support in iNotes” on page 48An alternate name is helpful when a user wants to use his or her native languageand character set to type, display, and look up names. For example, users can typea name in a native language and character set when sending mail. A user'sprimary name is recognizable to an international audience; an alternate name isrecognizable to the user's native language.“Enabling the mail usage indicator in iNotes”To enable a mail file usage indicator so that IBM iNotes users can view thepercentage of their mail file that is in use, set a database quota.

Enabling the mail usage indicator in iNotesTo enable a mail file usage indicator so that IBM iNotes users can view thepercentage of their mail file that is in use, set a database quota.

About this task

You can set the quota when you register users or by using a registration policysettings document. In either case, complete these fields on the Advanced options >Mail tab:v Set database quota -- Click to enable, and then specify a size limit (maximum of

10GB) for a user's mail database.v Set warning threshold -- Click to generate a warning when the user's mail file

reaches a certain size, and then enter the warning size (maximum of 10GB).

By default, users cannot send mail when their mail file quota has been reached,even if they have their mail preferences set to send messages only, rather than sendand save. To change this behavior so that users can send, but not save, a messageafter their quota is met, add the setting iNotes_wa_Ignore_Quota=1 to the mailserver's notes.ini file.Related tasks:“Registering iNotes users” on page 12When registering IBM iNotes users, select iNotes for your mail system, and theMAIL85.NTF mail template. This template contains mail template support for boththe iNotes client and the IBM Notes client.

Providing a log-on URL for iNotes usersAfter registering your new IBM iNotes users, you need to provide them withinformation they need to access their mail files.

About this task

Provide this information to new IBM iNotes users:v User namev Internet passwordv Default log-on URL, http://servername.com/mail/username.nsf

The default URL displays the Welcome page when users log in to iNotes.However, you can give users a URL that will display other views upon login.Appending the following text to the URL with a specific keyword will causeiNotes to initially display a different view:.../username.nsf/inotes/keyword/?OpenDocument&ui=inotes

Chapter 2. Getting started with iNotes 13

For example, the following URL will open the user's calendar when the user logsin.http://servername.com/mail/username.nsf/inotes/keyword/?OpenDocument&ui=inotes

Table 5. URL keywords for initial login display

To display Use URL keyword

Mail Inbox mail

Calendar calendar

To Do List todo

Contact List contacts

Notebook notebook

Related tasks:“Registering iNotes users” on page 12When registering IBM iNotes users, select iNotes for your mail system, and theMAIL85.NTF mail template. This template contains mail template support for boththe iNotes client and the IBM Notes client.“Using iNotes Redirect to access mail in iNotes” on page 17IBM iNotes users can access their mail files using iNotes Redirect. With iNotesRedirect, users do not need to know the name of their mail file and mail server,they need only know the name of the iNotes Redirect server. iNotes Redirect usesIBM Domino authentication methods to redirect a user's browser to their mail filebased on their user name and password.

Using ID vault with iNotesAbout this task

You can configure IBM iNotes to take advantage of the ID management featuresthat an ID vault provides. To enable the use of ID vault for iNotes users, select Yesfor Allow Notes-based programs to use the Notes ID vault on the ID Vault tab ofthe Security policy settings document.

If a user has an ID file in the vault but not in their mail database and their policyis set to Yes for integration, then the ID file is pulled from the vault and put in themail database. Likewise, if a user has an ID file in their mail database but not inthe vault, then a copy is uploaded to the vault. If a user has a copy both in thevault and in the database, the two IDs are kept in sync.

When this feature is enabled for iNotes users, the users can:v Decrypt incoming mail messages without manually importing Notes ID files into

their mail filev Change passwords on their Notes ID files and use the new passwords

automatically to perform secure mail operationsv Get their passwords reset in the ID vault by someone with password reset

authority and use the new passwords automatically to perform secure mailoperations

v Manually synchronize the two ID file copies at any time by opening iNotesSecurity Preferences and clicking Sync ID with Vault.


Note: The Forgotten password help text field, configured in the ID vault SecuritySettings policy and used to provide password reset instructions in the Notes logonwindow, does not apply to iNotes users.

For complete information about configuring ID vault and assigning it to users, seethe Notes ID vault topics in the IBM Domino Administrator Help.Related tasks:“Creating security policy settings for iNotes users” on page 31To create or enforce security settings for IBM iNotes users, you must create asecurity policy settings document.

Using an HTTP-proxy servlet to restrict URLs to external serversFor IBM iNotes features that send requests either to external servers for externalcalendar overlays or to Web services (IBM Quickr® integration), you mustconfigure an HTTP-proxy servlet to intercept calls and retrieve information from aremote site.

About this task

An HTTP-proxy servlet specifies which sites are allowed and filters out unwantedsites. Then, instead of making a request call to an external server such as a Quickrserver or a Google server, calls are passed through the HTTP-proxy servlet. If theexternal server is included as one of the allowed sites in the whitelist rule forproxy servlets in the security policy settings document, then the request is passedon to the external server, and any information received from the external server isalso returned.

In IBM Domino 8.5, the HTTP-proxy servlet was configured by creating aproxy-config.properties file located in the Domino\data\properties directory. Thisfile is no longer supported. Instead, you must create or edit a security settingspolicy, using the information in this file. Once you have done so, you can deletethis file, however leaving it in place will not adversely affect your configuration.

To configure proxies, use a security settings document.

Procedure1. From the Domino Administrator, create or edit a security settings document.2. Click the Proxies tab.3. Click Edit List.4. Enter the following information to create a white-list rule for each site you

want to allow.

Note: If you created a proxy-config.properties file in a previous release, usethe information in that file to populate these fields.


Table 6. Proxies tab fields

Property Description

Context The path of the request to the proxy server,specifies which proxy the rule is for.Examples include:

/xsp/proxy/QuickrProxy/

/xsp/proxy/GoogleProxy/

/xsp/proxy/BasicProxy/

URL Address of the site to which this policyapplies.

This is the target of the proxy.

Actions The set of HTTP actions this policy allows.

These can be GET, POST, HEAD, PUT,DELETE. The most frequently used are GETand POST. For Quickr integration withiNotes, make sure that HEAD is included.

Cookies Cookies allowed for this site. That is, thecookies that will be passed from the browserto the target URL server.Note: Cookies with specified names arealways proxied to this site. In addition, anyincoming (Set-Cookie response headers)received from the site will also beremembered and eventually sent back onsubsequent requests to this site.

Mime-types Content types allowed back from the targetserver, or use * to allow all.

Headers Headers allowed for this site, or use * toallow all. This attribute determines whichheaders are forwarded to the target server.Note: Cookies are not handled as a standardheader. Adding the entry "cookie" in theheaders list has no effect.


Related concepts:Using policies with iNotesIBM Domino administrators can use administrative policies to set or to enforcemail and security settings for IBM iNotes users. In addition, any existing policiesassigned to iNotes users prior to this release are enforced. To create and assignpolicy settings to an iNotes user requires both policy settings documents and apolicy document.Related tasks:“Creating security policy settings for iNotes users” on page 31To create or enforce security settings for IBM iNotes users, you must create asecurity policy settings document.“Setting up Quickr integration with iNotes” on page 67IBM Quickr has been integrated with IBM iNotes.“Enabling external calendars in iNotes” on page 82To enable users to add external calendars to their IBM iNotes calendars, use a mailpolicy setting Allow Calendar Subscriptions.

Using realm documents in iNotesTo resolve the issue of multiple login requests, create realm documents to mapaccess from other paths to the root path.

About this task

When Anonymous access is disallowed on the IBM Domino server, and basicauthentication by user name and password is enabled, users are challenged toauthenticate for both the /mail and the /iNotes realms. To resolve this issue ofmultiple login requests, create realm documents to map access from other paths tothe root path.

On Microsoft Windows, create a realm document to map your Domino datadirectory, for example, c:\domino\data or wherever your Domino data directory islocated, to return a realm of "/".

On UNIX, create a realm document that specifies a Domino data directory of/local/domino_data, or wherever your Domino Directory is located.Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Using iNotes Redirect to access mail in iNotesIBM iNotes users can access their mail files using iNotes Redirect. With iNotesRedirect, users do not need to know the name of their mail file and mail server,they need only know the name of the iNotes Redirect server. iNotes Redirect usesIBM Domino authentication methods to redirect a user's browser to their mail filebased on their user name and password.

About this task

During setup, you can enforce SSL security for anyone using iNotes Redirect toopen their mail file in one of two ways. You can enforce SSL for the entire session,or enforce SSL only for authentication, after which the user is switched back to


non-SSL. You can change the SSL port number, if it is not the default 443.

Setting up iNotes RedirectAbout this task

The iNotes Redirect template, IWAREDIR.NTF, is in the Domino data directory. To setup iNotes Redirect:

Procedure1. Create an application using the IWAREDIR.NTF template.2. In the IBM Notes client, open the application that you created.3. Click Setup and follow the prompts to set up iNotes Redirect.

Note: If you select MailServer as the Redirection Type under Server Settings,the common name of the Domino mail server must be the same as itsfully-qualified TCP/IP domain name. For example, if the mail server field inthe person document is set to serverA/domainA, the server's TCP/IPfully-qualified domain name must be serverA.ibm.com.

Using iNotes Redirect with portal viewsAbout this task

If you have enabled Personal Options for users to display iNotes in portal views,use these notes.ini file variables so that the Logout and the Offline buttonsdisplay in portal views. Also note that offline is required for local archiving inportals.iNotes_WA_PortalLogout=1

INotes_WA_PortalOffline=1

Using iNotes RedirectAbout this task

To use iNotes Redirect, complete these steps:

Procedure1. Launch the browser.2. Enter the URL of the iNotes Redirect server, for example, enter

server.acme.com.3. When prompted, enter your user name and password.

Using the new DWALoginFormAbout this task

To use the new DWALoginForm, you must have created a Domino Web ServerConfiguration application.

Note: The DWALoginForm has been redesigned in iNotes 8.5.4 so that it conformsto the One UI standard.

Procedure1. Open the Domino Web Server Configuration application (DOMCFG.NSF).2. Click Add Mapping.


3. Change the Target Database to your iNotes Redirect application.4. Change the Target Form to DWALoginForm.5. Click Save & Close.

Results

You are now ready to use the new DWALoginForm.

Setting up archiving using policies and configuration settingsYou can use configuration settings or policy settings, or a combination of both toset up archiving for IBM iNotes. You can determine how and where users canarchive, and whether archive preferences are available to users in the iNotes client.

About this task

Note: The notes.ini file setting iNotes_WA_DisplayArchiveList is no longerrequired. This setting was used when more than one archive policy was availablefor a user.

Configuring archiving for all users on a serverAbout this task

To set up server or local archiving for all users on the server, use these settings inthe mail server's configuration settings document under Other Settings:v Archiving on server - Enable (default) to allow users to create archives of their

mail files on the server.v Local Archiving - Enable to allow users to archive locally to their own system.

Configuring archiving on an individual basis using mail policysettings

About this task

Another way to configure archiving is to apply a policy to individuals by usingmail policy settings. These policy settings take precedence over server-wideconfiguration settings. To configure server or local archiving using policies, use thefollowing mail policy settings on the iNotes > Configuration tab:v Allow archiving on the server - Enable this setting to allow archiving on the

server for an individual. If this setting is not enabled, the associated userpreference does not display. If neither archiving setting is enabled, the archivingpreference pane does not display.

v Allow local archiving - Enable this setting to allow archiving locally for anindividual. If this setting is not enabled, the associated user preference does notdisplay. If neither archiving setting is enabled, the archiving preference panedoes not display.

Using archive policy settingsAbout this task

You can also use archive policy settings to prohibit archiving entirely, or to allowarchiving based on criteria that you define, but prohibit users from creating theirown archiving criteria. The following archive policy settings are on the Basics tab:


v Prohibit archiving - Enable this setting to disable all archiving functions.Enabling this setting removes the Archive Preferences pane and the Archivesection in the navigator pane of the mail Inbox.

Note: This setting takes precedence over both the configuration settingsdocument settings and mail policy document settings.

v Prohibit private archiving criteria - Enable this setting to prevent users fromcreating their own archive criteria. Users can open their archives, but will seearchive destinations as defined by the assigned archive policy.

Note: Enabling this setting disables archive preferences.

Enabling action menus in the mail archiveAbout this task

For server-based archiving, use the notes.ini file settingiNotes_WA_EnableActionsInArchive=1 to enable action menus from the mailarchive. Using this setting enables the action menus Reply, Reply to All andForward.Related tasks:“Creating mail policy settings for iNotes users” on page 23IBM Domino administrators can use a number of mail policy settings.Chapter 4, “Editing the configuration settings document for iNotes,” on page 39Many of the features you enable using the configuration settings document canalso be configured using policies.

Creating a URL for an iNotes portalYou can provide a Web portal that shows one or several views of IBM iNotes.

About this task

A portal is a Web site that aggregates information from a variety of sources ontoone page. You can provide a Web portal showing only one view of iNotes, or oneshowing several views. iNotes supports special URLs that allow a particularfunctional area, such as calendar, to be displayed within an IFRAME, or a fullbrowser window. This view takes up very little screen space and limits access toother functional areas.

An individual iNotes portal view is limited to one of these functional areas:v Inboxv Calendarv To Do Listv Notebookv Contact List

The URL syntax for an iNotes portal showing just the mail Inbox is, for example:.../username.nsf/inotes/mail/?OpenDocument&ui=portal

To place all of iNotes within a portal page, use the normal iNotes URL without the&ui=portal parameter.


Note: Use the notes.ini file setting iNotes_WA_PortalOffline to specify offlineand local archive options in a portal.

Allowing pass-through of HTMLIn IBM iNotes, pass-through HTML enclosed within brackets is disabled bydefault. To allow this pass-through HTML style, use the notes.ini file settingiNotes_WA_AllowPassThruHtml=1. The default value is 0.



Chapter 3. Configuring iNotes

Administrators specify mail policy and security policy settings as well asnotes.ini file settings to complete the full implementation of IBM iNotes.

Creating mail policy settings for iNotes usersIBM Domino administrators can use a number of mail policy settings.

Showing the unread count on foldersYou can set a mail policy setting so that all folders, except for personal folders,display the number of unread messages next to the folder name in the navigatorpane. This count automatically adjusts when a message is read, or when an unreadmessage is moved from/to a folder. For personal folders, the count does notupdate automatically but rather a refresh icon displays next to the folder name andthe count updates when users click the icon.

About this task

If users have elected to refresh the Inbox automatically by setting a Mail >General preference, the unread count for system folders such as Inbox or Junk,updates automatically when new mail arrives. However, unread mail that ismoved to a folder as a result of a mail rule does not increment the unread countfor the designated folder.

Set up the unread count feature by creating or editing a mail policy settingsdocument and completing these fields on the iNotes configuration tab:v Enable unread count - Enable so that the number of unread messages in a

folder displays in the navigator pane of IBM iNotes.v Autoupdate unread count - Select the mail folders for which you want to

update the unread count automatically.Related tasks:“Creating mail policy settings for iNotes users”IBM Domino administrators can use a number of mail policy settings.“Setting up automatic refresh for the Inbox” on page 24By default, IBM iNotes users can set a general mail preference so that their Inboxis updated automatically when new mail arrives. Additionally, if you have enabledthe unread count feature for mail folders so that the count is updatedautomatically, the count is updated automatically for system folders (Inbox andJunk) when new mail arrives.

Enabling scroll hintsYou can enable scroll hints in the mail policy settings document.

About this task

In IBM iNotes, scroll hints display information that helps you know approximatelywhere you are within a sorted list based on how you have the view sorted. Forexample, if you sort by Subject, and you are looking for a message with a subject


of iNotes, and a scroll hint displays IBM Sametime, you know you have gone toofar, and might want to position a little higher in the list. Scroll hints are disabledby default.

To enable scroll hints, create or edit a mail policy settings document. On the IBMiNotes - Configuration tab under Mail, check Yes for Enable Scroll Hints.

Setting up automatic refresh for the InboxBy default, IBM iNotes users can set a general mail preference so that their Inboxis updated automatically when new mail arrives. Additionally, if you have enabledthe unread count feature for mail folders so that the count is updatedautomatically, the count is updated automatically for system folders (Inbox andJunk) when new mail arrives.

About this task

To disable the automatic refresh feature, use the Refresh Inbox automaticallysetting in the mail policy settings document, iNotes Configuration tab. If youdisable this setting, the associated mail preference Refresh Inbox automaticallydoes not display in user preferences.Related tasks:“Creating mail policy settings for iNotes users” on page 23IBM Domino administrators can use a number of mail policy settings.“Showing the unread count on folders” on page 23You can set a mail policy setting so that all folders, except for personal folders,display the number of unread messages next to the folder name in the navigatorpane. This count automatically adjusts when a message is read, or when an unreadmessage is moved from/to a folder. For personal folders, the count does notupdate automatically but rather a refresh icon displays next to the folder name andthe count updates when users click the icon.

Enabling RSS feeds for iNotesYou can enable RSS feeds for IBM iNotes mail through mail policy settings or byusing notes.ini file variables.

About this task

When feeds are enabled, a feeds icon displays in the Inbox. Then, feed readers thatare built into browsers or that have browser extensions, automatically detect that afeed link is present from a user's iNotes Inbox. If enabled, users can subscribe tothe feed so that the feed reader application detects new mail. Since iNotes mailfiles are generally not accessible by anonymous users, the feed reader applicationmust support storing authentication information to the mail server to retrieve thelatest feed.

Note: Be aware that HTTP traffic to your IBM Domino mail server can increase ifmany users subscribe to these feeds within external feed readers.

Note: External feed readers are not able to properly authenticate to the Dominoserver if forms-based authentication is used. By default, basic authentication isenabled for feed requests.

Procedure1. To enable feeds, edit or create a mail policy settings document.


2. On the IBM iNotes > Configuration tab under Feeds Feature Settings, set thefollowing fields:v Set feeds - Use this setting to enable feeds. This setting overrides the

notes.ini file setting iNotes_WA_Feeds.v Set feeds secured - Select Yes for this setting to enable non-HTTP non-secure

feeds. By default, only secure feeds to the mail file are enabled to preventinsecure authentication from occurring as part of a feed retrieval.

Tip: (Optional) Change the notes.ini file setting iNotes_WA_FeedsSecured=0to allow feeds to be accessed via http rather than https. The default value is1.

v Feeds protocol name - Use this setting to have further control of the feedprotocol advertised by the Inbox page. It is applicable only when Set feedssecured is enabled. If not specified, the advertised feed uses the sameprotocol as the current page on which the feed advertisement occurs. TheFeeds protocol name setting overrides the notes.ini file settingiNotes_WA_FeedsProtocol.

Disabling basic authentication for feedsAbout this task

By default, iNotes forces basic authentication for feeds. You can disable thatauthentication.

Procedure

Use these notes.ini file settings:v iNotes_WA_DisableForceBasicAuthForFeeds=1 Disables basic authentication for

both Atom and RSS requestsv iNotes_WA_DisableForceBasicAuthForRSS=1 Disables basic authentication for RSS

requests onlyv iNotes_WA_DisableForceBasicAuthForAtom=1 Disables basic authentication for

Atom requests only

Using widgets in iNotesYou can define a set of widgets that are integrated into the IBM iNotes mail clientand specify the toolbox catalog and category names from which users can selectand install their own widgets.

About this task

The widgets you define display in the Widgets folder in the navigation pane.When a user launches a widget, it may optionally solicit some input within adialog or from selected text on the page, and then eventually open an external Webpage in a new tab or a new browser window. Users can enter any text that isrequired by the service, such as text to be translated by a translation service, andthe application results or output is displayed.

Enabling and configuring widgets in iNotesAbout this task

Enable this feature by checking these two mail policy settings on the iNotes -Configuration tab of the Mail policy settings document:v Show the Widgets folder in the Mail outline

Chapter 3. Configuring iNotes 25

v Allow users to create widgets from XML (optional, for advanced users)

If you do not use policies or if you want to enable or disable this featuretemporarily on a trial basis, you can use the notes.ini file settingiNotes_WA_Widgets=1 to enable it server-wide, or iNotes_WA_Widgets=0 todisable it server-wide. Using this setting overrides any policy setting.

To configure this feature, edit the inotes_config.xml file (located in theDomno/Data/domino/html folder) to include the widget configuration information. Ifthis file does not exist, you can create this file based on the following example. Thefile may include one of both of the following elements:v A <toolboxCatalog> element specifying the toolbox catalog database name and

the comma delimited list of categories containing widgets. iNotes users are ableto select widgets that specify the iNotes 8.5 target platform in these categorieswhen they select the Browse Widgets Catalog context menu item on the Widgetsfolder in the mail outline. Note that a local replica of the toolbox catalog mustbe located on the IBM Domino Web server, and that only widgets in thespecified categories that specify iNotes 8.5 in the platform field of the widgetdocument are displayed.

v Zero or more <webcontextConfiguration> elements containing widgetdefinitions. Widgets specified here appear in the Widgets folder of all users andcannot be removed by the user. The XML for a widget can be obtained from theextension.xml file included as an attachment in the document defining thewidget in the toolbox catalog.

The following is example markup for inotes_config.xml

<?xml version="1.0" encoding="UTF-8" ?>

<inotes:extensions xmlns:inotes="urn:x-inotes:ibm.com">

<toolboxCatalog name="toolbox.nsf" categories="iNotes Widgets"/>

<webcontextConfiguration version="1.1">

...

</webcontextConfiguration>

<webcontextConfiguration version="1.1">

...

</webcontextConfiguration>

</inotes:extensions>

Differences between the Notes client and iNotes using HTTPPOSTAbout this task

The IBM Notes client and iNotes implement the HTTP POST form submissionmethod of loading a Web page differently due to security restrictions imposed bythe same original server policy on browser applications.Notes first loads the formfrom the Web site into the embedded browser, and then inserts the requiredparameters into the DOM of the form and submits it by invoking the form'ssubmit Java™Script method. However, since iNotes is a browser applicationrunning inside of the browser, rather than an embedded browser container likeNotes, it cannot access any elements in the DOM of the Web application unless theWeb application is served from the same server as iNotes. This is known as thesame origin server security policy. Consequently, iNotes must create a formelement with the known input fields and values, and then submit the form to theWeb application server using the form's action URL, specifying that the responsedisplay in the target iframe. As a result, iNotes cannot support widgets for all Web


sites that the Notes client can support. The method of form submission that iNotesuses may fail for a number of reasons, but these are the most common:v The Web application requires JavaScript code to run when the form is submitted

which sets the values of hidden fields on the form.v The Web application uses a nonce (a unique string who's value is valid only for

a short time) that is included in the POST as a way to guard against denial ofservice attacks.

Known issuesAbout this task

Widgets created using Notes 8.0 do not specify the action URL for the form whenusing form based (HTTP POST) parameter submission. In Notes8.5, the widgetcreation wizard has been enhanced to provide the action URL in the <formAction>element. This means that widgets created with Notes 8.0 that use HTTP POST formsubmission will likely not work with iNotes and would need to be recreated usingthe Notes 8.5 wizard.

Web agent design elements in the toolbox catalog database must be signed usingthe Domino server's credentials in order to allow these agents to run for iNotesusers. If the design elements are not signed by the server, iNotes users will not beable to browse the widgets catalog. Use the Domino Administrator client to signthe design documents in the database with the server's ID.

LimitationsAbout this task

There are a number of limitations regarding the use of widgets with iNotescompared to the Notes client. These are in the following list. Catalog widgetsshould be tested with iNotes to make sure that they work well on that platformprior to making them available to iNotes users. Catalog widgets are made availableto iNotes users by adding "iNotes 8.5" to the platform field in the catalogdocument for the widget, and by including them in a category, or categories,specified in inotes_config.xml. Note that filtering widget catalog entries byplatform type is relatively expensive from a server performance standpointcompared to filtering by category, so to maximize server performance, avoidincluding widgets that cannot support iNotes in the categories used to exposewidgets to iNotes users. Following is a list of widget limitations when usingwidgets with iNotes:v Only widget definitions (<palleteItem> elements) with

providerId="com.ibm.rcp.toolbox.web.provider.WebServicesPalleteProvider"are supported at this time.

v The only supported output targets for a widget are an iNotes tab panel and anew browser window. The <actionType> element in the widget XML specifiesthe default output target. The sidebar and floating window targets are notsupported. If the <actionType> element for the widget specifies an unsupportedoutput target, then the output is displayed in an iNotes tab panel. Note that theuser can override the default output target by selecting the desired target in theOpen context menu item for the widget.

v The only supported contentTypeId for <contextData> elements iscontent.textSelection.

v It is possible for users navigating a Web site within a tab panel in iNotes to clickon a link that will navigate to a different top-level browser page. Due to browserarchitecture, there is no way for iNotes to prevent this from occurring. It is best


to avoid using tab panels with Web sites that contain such links and to openthese Web pages in a new browser window instead.

v iNotes cannot detect selected text within a Web page that is displayed in aniNotes tab pane for the purpose of passing the selected text as an inputparameter to a widget, if the Web page is served from a different server thaniNotes.

Related tasks:“Using an HTTP-proxy servlet to restrict URLs to external servers” on page 15For IBM iNotes features that send requests either to external servers for externalcalendar overlays or to Web services (IBM Quickr integration), you must configurean HTTP-proxy servlet to intercept calls and retrieve information from a remotesite.

Using policies to control widgets and live text accessControl widgets and live text access using the settings on the Widgets tab of thedesktop settings policy document.

Procedure1. From the IBM Domino Administrator client, open an existing desktop policy

settings document or create a new one.2. From the desktop settings policy document, click Widgets.3. Complete these settings as needed:

Table 7. Widget related desktop policy settings for iNotes

Setting Description

Widget catalogserver

Specify the catalog server from which to provision at applicationstartup and periodically during replication from the catalog to theuser's local replica. By default, replication occurs according to theschedule set for Normal priority applications. Use server/domainformat or a fully qualified name. If you use a server/domain format,server failover is supported.

If this policy's How to apply this setting column is set to Set valueand prevent changes, users cannot change the value on the Widgetspreferences panel.

By default, this value is not set.

Widget catalogapplication name

Specify the Widget catalog application name, for example toolbox.nsf,on the catalog server, from which to provision at client applicationstartup and periodically during replication from the catalog to theuser's local replica. By default, replication occurs according to theschedule set for Normal priority applications. Use the Widget Catalogtemplate, toolbox.ntf, to create the catalog application.

If this policy's How to apply this setting column is set to Set valueand prevent changes, the client user cannot change the value on theWidgets preferences panel.

The default catalog name is toolbox.nsf.


Table 7. Widget related desktop policy settings for iNotes (continued)

Setting Description

Widget catalogcategories toinstall

Specify the widget categories to install and update for this user. Thesecategories will appear in the Categories to install list box on theWidgets preferences panel. Use this setting to limit user access tospecific widget categories. If this field is blank, no widgets areinstalled in the user's My Widgets sidebar panel. Categories typicallyequate to a user grouping, such as a specific project team or job type.

The categories listed in this policy cause the equivalent category namesin the Widgets preferences panel to be selected and disabled; the usercannot deselect them.By default, this value is not set.

Enable Live Text Specify if you want auto-recognized Live Text to appear asdash-underlined text in the user's Notes document. Live Text displaycan be toggled on and off when working in a session.

If this setting is disabled, the Live Text preference panel is hidden fromthe user.

By default, this setting is enabled.

Enable DefaultRecognizers

Specify whether the IBM-supplied, advanced Live Text recognizerssuch as person (name), place (address), and organization are enabled.

If this setting is disabled, the user cannot enable it.

By default, this setting is enabled.

Show the MyWidgets panel inthe sidebar

Specify whether the My Widgets sidebar panel is visible in the Notessidebar and whether the Widgets menus and toolbar are visible.

If this setting is enabled and its How to apply this setting field is setto Set value and prevent changes, the end user cannot change theShow Widgets Toolbar and the My Widgets Sidebar panel value onthe Widgets preferences panel.

If this setting is disabled and its How to apply this setting field is setto Set value and prevent changes, the Widgets preferences panel isnot visible to the end user.

By default, this setting is disabled.

Restrict providerIDs forinstallation/execution

Restrict installation and update of widgets to specific types referred toas provider IDs. If enabled, you can specify which widget types(provider IDs) are available using the Enable provider IDs forinstallation/execution setting. Note that if you restrict which widgettypes are available for installation, also restrict creating those samewidget types using the Restrict the addition of widgets to specifictypes and Enable provider IDs for widget addition settings.




Setting Description

Enable providerIDs forinstallation/execution (onlyapplicable ifRestrict providerIDs forinstallation/execution field isenabled)

Specify the widget types available for installation and update. Use acomma to separate types in the list.

These are the available widget type/Provider IDs. They correlate to theavailable widget types.

v com.ibm.notes.toolbox.provider.NotesViewPalleteProvider

v com.ibm.notes.toolbox.provider.NotesFormPalleteProvider

v com.ibm.rcp.toolbox.web.provider.WebServicesPalleteProvider

v com.ibm.rcp.toolbox.feeds.FeedPalleteProvider

v com.ibm.rcp.toolbox.google.provider.internal.GooglePalleteProvider

v com.ibm.rcp.toolbox.prov.provider.ToolboxProvisioning

v com.ibm.rcp.toolbox.search.provider.SearchPalleteProvider

v com.ibm.rcp.toolbox.ca.provider.internal.CAActionPalleteProvider

v com.ibm.notes.toolbox.provider.XPagesPalleteProvider

Default

com.ibm.rcp.toolbox.google.provider.internal.GooglePalleteProvider,com.ibm.rcp.toolbox.web.provider.WebServicesPalleteProvider,com.ibm.rcp.toolbox.feeds.FeedPalleteProvider,com.ibm.notes.toolbox.provider.NotesViewPalleteProvider,com.ibm.rcp.toolbox.prov.provider.ToolboxProvisioning,com.ibm.notes.toolbox.provider.NotesFormPalleteProvider,com.ibm.rcp.toolbox.search.provider.SearchPalleteProvider,com.ibm.rcp.toolbox.ca.provider.internal.CAActionPalleteProvider,com.ibm.notes.toolbox.provider.XPagesPalleteProvider

For example, if the policy setting Restrict provider IDs forinstallation/execution is set to Enabled and Enable provider IDs forinstallation/execution is set to this value, the user can only install orprovision Google Gadget widget types:

com.ibm.rcp.toolbox.google.provider.internal.GooglePalleteProvider

Restrict extensionpoint IDs forinstallation/execution

Restrict the installation of widgets that contain certain extensionpoints. If enabled, you can then specify which extension point IDs areallowed using the Enable extension point IDs forinstallation/execution setting.Note: Extension points are an Eclipse feature. They define newfunction points for the platform that other plug-ins can plug into.Eclipse provides many extension points with the core platform. TheWidgets and Live Text feature also provides some extension points.

Notes and Expeditor provide these and many other identifiers:

v com.ibm.rcp.ui.shelfViews

v com.ibm.rcp.search.engines.searchEngines

v com.ibm.rcp.search.ui.searchBarSets

v com.ibm.rcp.content.contentTypes

v com.ibm.rcp.annotation.regex.regexTypes




Setting Description

Enable extensionpoint IDs forinstallation/execution (onlyapplicable ifRestrict extensionpoint IDs forinstallation/execution field isenabled)

You can restrict or add to this list. Use a comma to separate items inthe list.

Default:

org.eclipse.ui.popupMenus,com.ibm.rcp.content.contentTypes,com.ibm.rcp.annotation.regex.regexTypes,com.ibm.rcp.ui.shelfViews,org.eclipse.ui.views,org.eclipse.ui.viewActions,com.ibm.rcp.search.engines.searchEngines,com.ibm.rcp.search.ui.searchBarSets

For example, these settings specify that widgets can contribute contenttypes but not any other extension point:

com.ibm.rcp.toolbox.admin/toolboxdynamicExtPtIDs=com.ibm.rcp.content.contentTypes

Install widgetsfrom catalog

Specify whether a user can browse the configured catalog and selectwidgets to install to the My Widgets sidebar panel or sidebar. Ifenabled, the user can select a widget from the catalog and drag anddrop the widget's XML extension attachment to their My Widgetssidebar panel. They can also select additional categories to beprovisioned with (in addition to those listed in the Widget catalogcategories to install policy) using their Widgets preferences panel.


Preventing users from requesting a return receiptIBM iNotes includes the mail policy setting Do not allow users to set returnreceipt. When enabled, this mail policy setting prevents users from setting a returnreceipt on their outgoing messages.

Procedure1. From the IBM Domino Administrator client, open an existing mail policy

settings document or if necessary, create a new one.2. In the mail settings document, click Mail > Basics.3. Click to select the Do not allow users to set return receipt check box.4. Click Save and Close.

Creating security policy settings for iNotes usersTo create or enforce security settings for IBM iNotes users, you must create asecurity policy settings document.

About this task

Although there are other security policy settings that can be created for IBM Notesusers, the settings here are applicable to iNotes security, and the explanations inthe following table describe how these settings affect iNotes users.

For a full explanation about using policies, and the relationship between Policydocuments and policy settings documents, see the Policy documentation in theIBM Domino Administrator documentation on the Notes and Domino wiki athttp://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation


Procedure1. Make sure that you have Editor access to the Domino Directory and one of

these roles:v PolicyCreator role to create a settings documentv PolicyModifier role to modify a settings document

2. From the Domino Administrator, select the People & Groups tab, and thenopen the Settings view.

3. Click Add Settings, and then choose Security.4. On the tabs listed in the following tables, complete these fields:

Table 8. Password Management Basics tab

Setting Description

Allow users to change Internet passwordover HTTP

This setting determines whether the iNotesuser preference Change Internet Passworddisplays:

v Yes (default) - allows users to use a Webbrowser to change their Internetpasswords. iNotes users use the ChangeInternet Password preference to do so.

v No - the user preference Change InternetPassword will not display.

Update Internet Password When NotesClient Password Changes

For iNotes users, this setting determineswhether there will be one user preferenceChange Password, instead of twopreferences, Change Notes ID and ChangeInternet Password. If there is only onepreference, the Notes ID password in themail file is updated when the Internetpassword is changed.

Choose one:

v No (default) -- User preferences includeboth Change Notes ID and ChangeInternet Password user preferences, andthe user must change both.

v Yes -- Synchronizes the user Internetpassword with the iNotes client password.User preferences include only the ChangePassword preference, which is used tochange both passwords.


Table 8. Password Management Basics tab (continued)

Setting Description

Enforce password expiration If you enable password expiration for any ofthe options, the security settings documentdefaults change. Choose one:

v Disabled (default) - disables passwordexpiration. If you disable passwordexpiration, do not complete the remainingfields in this section.

v IBM Notes only - enables passwordexpiration for Notes passwords only. ForiNotes users, this enables expiration forthe Notes ID stored in the user's mail file.

v Internet only - enables passwordexpiration for Internet passwords only.

v Notes and Internet -- enables passwordexpiration for both Notes and Internetpasswords. For iNotes users, it enablesexpiration for both the Notes ID stored inthe user's mail file and for the Internetpassword.

Note: Internet password expiration settingsare recognized only by the HTTP protocol.This means that Internet passwords can beused indefinitely with other Internetprotocols, such as LDAP or POP3.Note: Do not enable password expiration ifusers use Smartcards to log in to Dominoservers.

Required password quality If you require users to create passwordsbased on password quality, specify thatquality by choosing a value from thedrop-down list. To use length instead ofpassword quality, continue to the next field.

For iNotes users, password quality settingsare enforced when the Notes ID is stored inthe user's mail file and the password ischanged via iNotes user preferences.

Use length instead If you require users to create passwordsbased on length, click Yes. When you do, theRequired Password Quality field changes toRequired password length. Specify theminimum password length here.

For iNotes users, password quality settingsare enforced when the Notes ID is stored inthe user's mail file and the password ischanged via iNotes user preferences.


Table 9. Custom Password Policy tab

Setting Description

Change Password on First Notes Client Use Require users to change their passwords thefirst time they log in using Notes. ForiNotes, users must change the embeddedNotes ID password before using it the firsttime.Note: This works only if the policy isapplied during user registration.

Table 10. Keys and Certificates tab

Setting Description

Warning period Specify the number of days prior tocertificate expiration at which the userWarning period receives an expirationwarning message.

Table 11. ID Vault tab

Setting Description

Allow Notes-based programs to use theNotes ID vault

Set to Yes to allow iNotes users to use theNotes ID Vault to back up their Notes ID. Ifthis feature is enabled, the user preferenceSynchronize Notes ID with Vault displaysin iNotes security preferences.

Table 12. Proxies tab (click Edit List to view these fields)

Setting Description

Context The path of the request to the proxy server,specifies which proxy the rule is for.Examples include:

xsp/proxy/QuickrProxy

xsp/proxy/GoogleProxy

xsp/proxy/BasicProxy

URL Address of the site to which this policyapplies.

This is the target of the proxy.

Actions The set of HTTP actions this policy allows.

These can be GET, POST, HEAD, PUT,DELETE. The most frequently used are GETand POST. For IBM Quickr integration withiNotes, make sure that HEAD is included.


Table 12. Proxies tab (click Edit List to view these fields) (continued)

Setting Description

Cookies Cookies allowed for this site. That is, thecookies that will be passed from the browserto the target URL server.Note: Cookies with specified names willalways be proxied to this site. In addition,any incoming (Set-Cookie response headers)received from the site will also beremembered and eventually sent back onsubsequent requests to this site.

Mime-types Content types allowed back from the targetserver, or use * to allow all.

Headers Headers allowed for this site, or use * toallow all. This attribute determines whichheaders are forwarded to the target server.Note: Cookies are not handled as a standardheader. Putting the entry "cookie" in theheaders list will have no effect.

Related tasks:“Using ID vault with iNotes” on page 14Related information:

IBM Notes and Domino wiki

Desktop policy settings supported in iNotesWhen applied to a user, these desktop policy settings lock down the associateduser preferences in IBM iNotes. Any existing policies previously assigned to iNotesusers are enforced.

For a full explanation about using policies and the relationship between policydocuments and policy settings documents, see the Policies section of the DominoAdministrator documentation at http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_USING_POLICIES_881_OVER.html.

Table 13. Desktop policy settings supported in iNotes

Setting and tab Description

Preferences - Miscellaneous tab

Right double-click closes window Enable this setting if you want to allow theuser to close the current IBM Notes windowby double right-clicking the mouse. Thesetting applies only to Microsoft Windows.

Preferences - Mail tab


http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.

Table 13. Desktop policy settings supported in iNotes (continued)


Mark documents read when opened inpreview pane

Enable this setting if you want to mark adocument "Read' after it opens in a previewpane. Previewing allows a user to see part ofa document's contents without having toopen the actual document. The previewpane is a separate frame that opens in thecurrent view.

Save sent mail Enable this setting to always save a copy ofthe user's sent mail messages in their Sentfolder.

Sign sent mail Enable this setting if you want all user mailmessages digitally signed before they aresent to other iNotes users or to users overthe Internet. Digital signatures are thecomputerized equivalent of a handwrittensignature, but they are much harder to forge.In iNotes, a digital signature is created withthe user's private key and then verified withthe user's public key.

Encrypt sent mail Enable this setting if you want all user mailmessages encrypted before they are sent toother iNotes users or to users over theInternet.

Show a Popup Enable this setting if you want a dialog boxto display when a user has new mailmessages.

Play a Sound Enable this setting if you want a sound toplay when a user receives a new mailmessage.

Mail checking interval Type the number of minutes to set theinterval at which iNotes checks for newmessages.

Preferences - Internet tab


Table 13. Desktop policy settings supported in iNotes (continued)


Internet mail format Specify the Internet mail format to be usedfor sending messages via the Internet.Choose one:

v HTML only - E-mail recipients withInternet-style addresses receive HTMLformatted text and graphics. Notes RichText would need to be converted to MIMEwhen sent over SMTP and this conversioncauses a loss of fidelity if the user'sdefault mail form is set to Rich TextFormat. Recipients receive HTML e-mail ifthey can read it. If their e-mail programdoes not support MIME, then they willreceive a plain text message.

v Plain Text only - Mail recipients withInternet-style addresses receive plain text.This is the safest option to use if you areunsure whether recipients of your users'mail use a mail program that can readHTML formatted messages or Rich TextFormat messages.

v HTML and Plain Text - When users sendmail to mail recipients who use mailprograms that support MIME, those mailrecipients receive HTML formatted mail.Mail recipients who have mail programsthat do not support MIME, will receiveplain text. This option is the mostversatile.

v Prompt when sending - Users areprompted to specify a format each timethey send an Internet mail message.

Prefix each line with Specify a character to use as a line prefix.

Wrap lines at Specify the number of characters thatcomprise the default line length.

Related tasks:“Setting up type-ahead” on page 53The type-ahead feature in IBM iNotes uses the names of people to whom usershave recently sent email to populate a list of type-ahead names that display whena user is completing an address field that expects an email address. This featurecaches, in memory, a list of names that are used most frequently, and then displaysthose names at the beginning of the list.



Chapter 4. Editing the configuration settings document foriNotes

Many of the features you enable using the configuration settings document canalso be configured using policies.

About this task

See the Policies section of the IBM Domino administrator documentation forinformation about using policies..

Procedure1. From the Domino Administrator, click the Configuration tab and expand the

Server or Messaging section.2. Click Configurations.3. Select the configuration settings document for the IBM iNotes mail server(s)

and click Edit Configuration.4. Select the IBM iNotes tab.5. Change any of the configuration settings listed in the table.

Table 14. iNotes tab settings

Setting Action

Default Home Page Click View/Modify to set Home Pagesettings.

v Default Page - Lets users customize theHome Page.

v Selected Web Page - Forces users to use aspecific Web page as the Home page.Enter the URL and title.

v Custom Layout - Choose from six customlayouts to specify new mail, calendarschedule, Web links, and other options toappear in a layout.

Allow user to edit the Home page Enable (default) to allow users to createcustom Home pages and override anysettings on the server.

Disable to prevent users from changing theadministrator-prescribed Home page.

Alarms Enable (default) to allow users to set alarmsfor appointments, meetings, events, and taskdeadlines.

Disable to prevent users from setting alarmsthat may slow server performance.

Minimum alarm polling time Enter a number to specify how often, inminutes, the iNotes client checks the serverfor alarms. The default is 5 minutes. Increasethis number to improve server performance.


Table 14. iNotes tab settings (continued)

Setting Action

Minimum mail polling time Enter a number to specify how often, inminutes, the iNotes client checks the serverfor new mail. Default is 5 minutes. Increasethis number to improve server performance.

When sending mail, set format to Choose whether to restrict outgoing mail.

v Plain text - restricts outgoing mail to plaintext only. Plain text messages can be readby most legacy mail applications.

v Let user decide - allows the user to choosethe format for every outgoing mailmessage.

Name resolution and validation Enable to allow alternate name lookups,similar to type-ahead in IBM Notes. Letsuser resolve ambiguous names and usealternate names by checking names against acontact list or Domino Directory.Note: This must be enabled for the iNotessecure mail feature.

Maximum attachment size (kb) Set the maximum size in kilobytes forattachments. Default is 50,000K (50MB).

You must also set the value of two Serverdocument (or Web Site document) fields to avalue higher than the Maximum attachmentsize. If you do not, attachments larger than(10MB) will generate a server error.

v On the Internet Protocols > HTTP tab, setMaximum Size of Request

v On the Internet Protocols > Domino WebEngine tab, set Maximum Post data

Mail Threads Enable (default) to allow users to set aniNotes user preference to view mail threads.

Encrypted mail support Enable (default) to allow users to use astored Notes ID to read encrypted mail. Theuser's ID must be stored in the maildatabase.

Allow user to delete their Notes ID fromtheir mail database

Enable to allow users to delete their NotesID from their mail database. By default, thissetting is disabled.

Allow user to export their Notes ID Enable to allow users to export and savetheir ID in a separate file. By default, thissetting is disabled.

Require SSL when reading encrypted mail Select one to set SSL requirement:

v No - To treat encrypted mail the same asunencrypted mail

v Client - (default) To require the browserclient to use SSL, but not the server.

v Both - To require both the browser clientand the server to use SSL.



Setting Action

Use JavaScript for SSL-redirection Enable (default) to use JavaScript to redirectSSL.Note: Some reverse-proxy servers do notproperly fixup 302 redirects. If so, enablingthis option may help. Do not enable thisoption unless necessary.

Allow untrusted Internet certificates to beused for S/MIME encryption

Enable to allow users to use an untrustedInternet certificate for S/MIME encryption.By default, this setting is disabled.

Instant Messaging features Enable (default) to turn on instantmessaging and live names awareness forusers who have secrets and token orLightweight Third Party Authentication(LTPA) token, and an IBM Sametime serverassigned.

Online awareness Enable (default) to turn on live names forany user who has also enabled awarenessvia a user preference.

Allow secrets and tokens authentication v Enable (default) -- to use and prefersecrets and tokens authentication ifavailable.

v Disable -- if an LTPA token is present,disable this field to use the LTPA tokeninstead.

Set a Sametime server hostname for allDWA users (useful for clusteredconfigurations)

Type the name of the Sametime server to setan instant messaging hostname, for example,messaging.ibm.com, for all iNotes users.Eliminates the need to populate theSametime server field value within everyuser's person document.

Prefer DWA 8 Contact List v Enable (default) -- to use the Domino WebAccess Chat client.

v Disable -- to use the Sametime Connectfor browsers Chat client. Supported onlyfor backward compatibility with DominoWeb Access 7 clients on a Domino 8xserver.

Note: iNotes was previously known asDomino Web Access for versions 8 and 7.

Prefer Sametime Connect for browsers(DWA 7 only)

v Enable (default) -- to load the SametimeConnect for browsers (6.5.1 or later) as theChat client.

v Disable -- to use the Domino Web AccessChat client.

Note: iNotes was previously known asDomino Web Access for versions 8 and 7.

Pass the Organization name (commonlyused when Domino is configured for xSP)

For xSPs only. The default is disabled.

Enable to include the user's Organization aspart of the name format. For example:

CN=John Doe/O=Renovations

Chapter 4. Editing the configuration settings document for iNotes 41


Setting Action

Directory type used by Sametime server v Domino directory (or leave blank) -- if theSametime server and iNotes server bothuse the Domino directory.

v Domino LDAP -- if the Sametime serveruses the Domino LDAP directory and theiNotes server uses the Domino directory.

v Domino LDAP for xSP -- (xSP serversonly) If the iNotes xSP server uses theDomino directory and the Sametimeserver uses the Domino LDAP server.

v Non-Domino LDAP-- if the Sametimeserver and the iNotes server both use anLDAP directory other than Domino LDAP.

Note: You can further refine the way thename format is passed to the Sametimeserver for login and awareness using thenotes.ini file settingiNotes_WA_SametimeNameFormat, whichoverrides this configuration setting.

Add disclaimer notice to mail memo Select one:

v Disabled - No disclaimer text will display

v At the top - To display disclaimer text atthe beginning of iNotes mail messages

v At the bottom - (default) To displaydisclaimer text at the end of iNotes mailmessages

Disclaimer text or HTML Type the disclaimer text you want to display(in HTML format) on all iNotes mailmessages.

Encrypt offline mail databases Enable to allow users to encrypt their offlinemail databases for security. If you enableencryption, complete the next two fields toset the encryption level. The default settingis disabled.

Offline database encryption level Choose one:

v Simple - provides protection againstcasual snooping.

v Medium - provides the accurate balanceamong security, strength, and fastdatabase access. Probably the correctchoice for most users.

v Strong - when security requirements areparamount, and the resulting databaseaccess performance is acceptable.

Allow user to choose an encryption level This setting, when enabled, overrides theadministrator-specified encryption level andallows users to choose their own encryptionlevel.

Allow user to go offline Enable (default) to turn on the Work Offlinefeature in the iNotes client. Disable thisoption to prevent users from using iNotesoffline, disconnected from the network.



Setting Action

Only sync documents modified in the last xdays.

Enable and then enter a number to set howmany days worth of documents to replicate(default is 90). Documents older than thosespecified are removed from the local replica.Users can reset this for each offlinesubscription file using the Domino SyncManager. The default is disabled.

Limit document attachments during sync Enable this setting to limit the size ofattachments during sync. When set,attachments greater than 100 KB aretruncated (stripped from the document)during replication. The default is disabled.

Security Settings Enable this setting so that the user's offlineInternet password remains synchronizedwith their online Internet password. Thissetting works only when the OfflineConfiguration document Security Settingsfield Keep Internet Password Synchronizedis enabled.

Alternate name support Enable (default) to allow iNotes users todisplay alternate names in a nativelanguage.

Disable to prevent iNotes from displayingalternate user names in a native language.When disabled, users see alternate names inEnglish only.

Preferred alternate name language This setting overrides the preferred languagefor an alternate name in user preferences.

Pick from a list to select the default alternatename language. The default is English.

Allow user to choose alternate name display Enable to let users choose the preferredlanguage for an alternate name.

Disable (default) to prevent users fromcontrolling alternate name support.

Allow user to select default active view Enable (default) to allow users to select adefault active view.

When opening Domino Web Access, open to Select the view that displays when the userlogs on to iNotes.

Browser Cache Management Enable (default) to install Browser CacheManagement.

Automatically install Browser CacheManagement

Enable to automatically install BrowserCache Management the first time a useraccesses iNotes from a computer on whichBrowser Cache Management is not installed.If not set, the user can install it on their ownfrom user preferences, but installing BrowserCache Management is not required. Thedefault is disabled.



Setting Action

Default cache scrubbing level Set the automatic cache clearing level for theiNotes server. Type a number from 1-5where:

0 - Deletes the caches including personalinformation related to the mail database.

1 - Deletes all URLs that begin with the mailfile path.

2 - Deletes all URLs in the cache thatoriginate from the server host name, exceptfor URLs that contain /iNotes/FORMS85.NSF,the current forms file (or/iNotes/FORMS8.NSF, /iNotes/Forms7.nsf, oriNotes/Forms6.nsf).

3 - Deletes all URLs in the cache thatoriginate from the server hostname.

4 - Deletes all URLs in the cache except forURLs that contain /iNotes/FORMS85.NSF, thecurrent forms file (/iNotes/FORMS8.NSF,/iNotes/Forms7.nsf, or iNotes/Forms6.nsf).

5 - Deletes all URLs in the cache.

Clear history when browser window isclosed

Enable to clear the browser history when thewindow is closed. Prevents access topreviously displayed pages by unauthorizedusers. The default is disabled.

Disallow attachments if not installed Enable to prevent users from adding oraccessing attachments in email if BrowserCache Management is not installed. Thedefault is disabled.

Using this setting prevents users who havenot installed Browser Cache Managementfrom accessing or copying sensitiveinformation in an attachment at anunsecured workstation.

Maintain static code archive betweensessions

Enable (default) to move static iNotes designentries from the cache to a local folder onthe machine so that they can be restored tothe browser cache when the browser isstarted again.

Archiving on server Enable (default) to allow users to createarchives of their mail files on the server.

Disable to prevent creation of mail archivesand save disk space on the server.

Full-text indexing Enable (default) to allow users to create afull-text index of their mail, calendar, andtask entries on the server.

Disable to prevent creation of full-textindexes to save disk space on the server andimprove performance.



Setting Action

Modification of Internet password Enable (default) to allow users to changetheir Internet password.

Calendar printing Enable (default) to allow users to printvarious calendar formats, includingDayRunner, Franklin Planner, and Trifold.Calendar printing uses the PDF format fromAdobe Acrobat.

Disable to prevent users from printingCalendar formats using PDF.

iNotes ActiveX file attachment utility Enable (default) to allow users to use thecustom file upload utility to drag-and-dropfile attachments, select files easily, and havemultiple file views.

Disable to allow users to use the standardbrowser file upload utility.

Compress HTTP response data Enable (default) to turn on GZIPcompression.

Disable if the browser used does not supportGZIP compression.

Rooms and Resources Enable (default) to allow access to the roomand resource database when schedulingmeetings.

Reuse Child Windows Enable to enforce this feature globally for allusers. If disabled (the default) users canenable this feature via user preferences.

Local Archiving Enable to allow users to archive locally totheir own system.

Note: The Instant Messaging settings and the Local Archiving setting, underOther Settings, on the iNotes tab in the configuration settings document applyto users whose mail file is based on the MAIL (R8) mail template, MAIL8.NTF, orlater. In a mixed environment, for users whose mail file is based on iNotes 6,use the equivalent notes.ini file settings.

6. Save the document and restart the Domino server.


Related tasks:“Adding a disclaimer to outgoing iNotes messages” on page 47You can add a disclaimer to outgoing IBM iNotes messages. A disclaimer is adenial or a disavowal of legal responsibility for the contents of the message. Insome countries, not having a proper disclaimer on messages may result in finesleveled by regulatory agencies.“Configuring alternate name support in iNotes” on page 48An alternate name is helpful when a user wants to use his or her native languageand character set to type, display, and look up names. For example, users can typea name in a native language and character set when sending mail. A user'sprimary name is recognizable to an international audience; an alternate name isrecognizable to the user's native language.“Setting a maximum attachment size” on page 51You can set a maximum attachment size other than the default value.“Using browser cache management” on page 49Use browser cache management to improve client side performance and security ofIBM iNotes sessions on Internet Explorer by controlling which entries are stored inthe cache and which are removed when the iNotes session ends.“Using notes.ini file settings for iNotes in a mixed environment” on page 58The following notes.ini file settings have been replaced by settings in theconfiguration settings document beginning with IBM Lotus® Domino 7. Toconfigure users who have the DWA7, Mail8 or a later mail template, use theappropriate settings on the iNotes tab of the configuration settings documentinstead of these variables.

Secure mail for iNotesTo allow IBM iNotes users to encrypt and digitally sign email messages, you mustenable both the Encrypted mail support and the Name Resolution and Validationfields on the iNotes tab of the server's configuration settings document.

If an SSL connection is required for either the client or both the client and server,iNotes users cannot read or send encrypted messages when connected via HTTP. Ifthe user is connected via HTTP, they must switch to HTTPS when accessing theencrypted message on the server. This switch occurs automatically when sendingencrypted mail. The user is prompted to switch when reading encrypted mail.

Note: If you allow encrypted email to be sent over nonsecure connections, you arealso allowing the transmission of user credentials over nonsecure connections.

S/MIME is supported in iNotes. Users can verify an S/MIME signature on areceived message. Users who have an X.509 certificate in their mail file-based IBMNotes ID can decrypt received S/MIME messages as well as S/MIME signmessages they send. Outgoing messages can be S/MIME encrypted for recipientswho have an X.509 certificate in the IBM Domino directory or in iNotes contacts.To allow an X.509 certificate to be used by iNotes, an Internet cross-certificate mustbe issued from the user's organizational certifier to the certificate authority thatissued the X.509 certificate. This Internet cross-certificate must be present in theDomino directory.

When both Notes and S/MIME sign and encryption are possible, iNotes usesS/MIME sign and encryption by default. This could cause problems in a mixedenvironment that includes pre-Domino 7 servers. Pre-Domino 7 servers do notsupport S/MIME, so messages sent S/MIME signed and encrypted could not beverified or decrypted. Use the notes.ini file setting iNotes_wa_SecMailPreferNotes


to turn on Notes sign and encryption when both S/MIME and Notes sign andencryption are possible. This setting is not supported offline.

Deployment differences between Notes and iNotesv Recovery authority -- iNotes does not support recovery authority unless it is

already in the ID mailed to the user.v Imported Notes IDs -- Notes IDs cannot be Smartcard enabled.v Certificates -- iNotes looks for certificates first in the Domino directory and then

in the contacts.v Cross certificates -- iNotes looks for cross certificates only in the Domino

directory. If you are using iNotes, you must create any required cross certificatesin the Domino directory.

v Multiple domains -- If you are administering multiple domains, use directoryassistance for an extended directory catalog on the server. Do not use acondensed directory catalog on the server.

v Offline -- If you are using a directory catalog, you must enable it for encryptedmail.

Related tasks:Chapter 4, “Editing the configuration settings document for iNotes,” on page 39Many of the features you enable using the configuration settings document canalso be configured using policies.“Using iNotes Redirect to access mail in iNotes” on page 17IBM iNotes users can access their mail files using iNotes Redirect. With iNotesRedirect, users do not need to know the name of their mail file and mail server,they need only know the name of the iNotes Redirect server. iNotes Redirect usesIBM Domino authentication methods to redirect a user's browser to their mail filebased on their user name and password.“Creating security policy settings for iNotes users” on page 31To create or enforce security settings for IBM iNotes users, you must create asecurity policy settings document.Related information:

Knowledge Collection: Directory Assistance and Lotus iNotes/Domino WebAccess(DWA)

Adding a disclaimer to outgoing iNotes messagesYou can add a disclaimer to outgoing IBM iNotes messages. A disclaimer is adenial or a disavowal of legal responsibility for the contents of the message. Insome countries, not having a proper disclaimer on messages may result in finesleveled by regulatory agencies.

About this task

You can set up email disclaimers by using the mail server's configuration settingsdocument, setting the notes.ini file iNotes_WA_PreventClientDisclaimer andsetting up and applying the mail policy settings document. Both documents arestored in the Domino directory, names.nsf, on the server.

Procedure1. From the IBM Domino administrator client, client select the server's

configuration settings document, and click Edit Configuration.2. Click Router/SMTP > Message Disclaimers.


http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Knowledge_Collection__Lotus_iNotesDomino_Web_Access_and_Directory_Assistance

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Knowledge_Collection__Lotus_iNotesDomino_Web_Access_and_Directory_Assistance

3. In the Message Disclaimers section, click Enabled.4. Click IBM iNotes.5. In the Disclaimer Text section, in the Add disclaimer notice to mail memo,

click Enabled.6. Click Save and Close.7. In the Domino administrator client, open the mail policy settings document.8. Click Mail > Message Disclaimers.9. In the Disclaimer text field, click Modify.

10. Enter the disclaimer text that you want to display on outgoing iNotes mailmessages. Click OK.

11. Click Save and close.12. Open the server's notes.ini file and add the setting

iNotes_WA_PreventClientDisclaimer=1

13. Save and close the notes.ini file.Related tasks:“Creating mail policy settings for iNotes users” on page 23IBM Domino administrators can use a number of mail policy settings.

Configuring alternate name support in iNotesAn alternate name is helpful when a user wants to use his or her native languageand character set to type, display, and look up names. For example, users can typea name in a native language and character set when sending mail. A user'sprimary name is recognizable to an international audience; an alternate name isrecognizable to the user's native language.

About this task

By default, IBM iNotes allows users to view alternate names but not in anylanguage other than English. You can change iNotes to allow users to send andview alternate names in their own native language.

Note: Before a user can use an alternate name for a primary name, you mustregister and certify the alternate name.

To allow users to display alternate names in the language oftheir choice

About this task

Complete this procedure so that the Display alternate names option appears in theiNotes basic preferences. Users can then display alternate names in the language oftheir choice.

Procedure1. From the IBM Domino Administrator, click Configuration and expand the

Messaging section.2. Click Configurations.3. Select the configuration settings document for the iNotes mail server(s) and

click Edit Configuration.4. Select the iNotes tab.5. Under Mail, enable Name resolution and validation.


6. Under International, enable Alternate name support.7. Under International, enable Allow user to choose the alternate name display.8. Save the document and restart the Domino server.

To allow users to view alternate names in the languages setby the server

About this task

Complete this procedure so that the Change Internet Password option appears inthe iNotes Basics user preferences. Users can then display alternate names in thelanguages set by you on the server.

Procedure1. Perform steps 1 through 6 in the “To allow users to display alternate names in

the language of their choice” on page 48 procedure.2. Disable the setting Allow user to choose alternate name display.3. In the field Preferred alternate name languages, choose languages from the

list.4. Save the document and restart the Domino server.

Using browser cache managementUse browser cache management to improve client side performance and security ofIBM iNotes sessions on Internet Explorer by controlling which entries are stored inthe cache and which are removed when the iNotes session ends.

About this task

Many organizations restrict files that remain in the browser cache for securityreasons but for lower-end machines, loading iNotes for each session may adverselyimpact performance. So, for example, assume you want to leave iNotes designelements in the cache for performance reasons, but remove everything retrievedfrom mail files for security reasons.

You can set the cache scrubbing level to remove all cache entries or only thoserelated to the user's mail file. Browser cache management improves client sideperformance, for example, by archiving static design elements of iNotes locally,and then restoring them to the cache the next time the browser is accessed. This isparticularly useful when iNotes is accessed via a lesser bandwidth connection.

Setting up browser cache managementAbout this task

Set up browser cache management in the iNotes server's configuration settingsdocument. Once you have enabled this feature, you can choose whether to install iton iNotes clients automatically, or to give users the option of installing it. If youinstall it automatically, the first time a user accesses iNotes, a browser cachemanagement system confirmation displays, prompting the user to close all browserwindows for browser cache management to take effect.

If you enable browser cache management but do not install it automatically, userscan install and uninstall it using an iNotes preference (Preferences - Logout). If youhave not enabled browser cache management, this preference is not visible. As an


additional security measure, you can prevent users who have not installed browsercache management from adding or accessing email attachments.

Once the browser cache management feature is installed on a user's system, thecache cleanup occurs based on the cache scrubbing level set in the server'sconfiguration settings document. The user cannot change this. However, if it hasnot been installed, users can manually clear the cache at logout by clearing thehistory, and selecting one of these logout options:v Secure -- Deletes all entries in the cache except iNotes design elements, which

are archived locally when the last instance of Internet Explorer is closed, andrestored back into the browser cache when the next instance of Internet Exploreris opened.

v More Secure -- Deletes all entries in the cache.

Making calendar details available to all usersYou can make calendar details available to all users with settings on the server'sconfiguration settings document.

About this task

By default, IBM iNotes users can view free and busy times of other users whencreating group calendar entries or meeting invitations, but they cannot view detailsfor each time slot. It may be helpful for users to see detailed information, such aswhat kind of appointments are scheduled for a particular time slot, when theyschedule meetings.

To make calendar details available to all users:

Procedure1. From the IBM Domino administrator, open the iNotes server configuration

settings document.2. On the Basics tab, for the field Use these settings as the default settings for

all servers, click Yes.3. Enable the field Extract calendar details.

Note: The Extract calendar details field does not display unless you performstep 2.

Making Notes links work in iNotesYou can configure IBM iNotes so that users can open IBM Notes links (document,view, or application links) in either a new browser window or in Notes. iNotessupports Notes links to any server, as long as the user has access to the applicationto which the link connects and the application is on an IBM Domino server in thelocal area network.

Procedure1. From the Domino Administrator, click the Configuration tab.2. Select the Server view and open the server document for the mail server.3. Click Edit Server.4. Choose the Internet Protocols tab, then the Domino Web Engine tab.5. Set the field Redirect to resolve external links to By server or By Database.


6. Click Save & Close.7. Add the setting DominoHTMLOptions=OfferNotesURLInLink=1 to the Domino Web

server's notes.ini file. This setting generates a Notes link, notes:// protocollink, for any displayed Notes URL link, which allows iNotes users toalternatively open the document within Notes rather than within the browser.The setting also ensures that both links are available when messages areforwarded or replied to with history. If you setDominoHTMLOptions=OfferNotesURLInLink=2, you only see Notes links.

Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Setting a maximum attachment sizeYou can set a maximum attachment size other than the default value.

About this task

By default, IBM iNotes allows a maximum attachment size of 50,000K (50MB). Youcan increase this amount by setting the Maximum attachment size (kb) field in theIBM Domino server configuration settings document, iNotes tab. However,attachment size is based on two parameters that default to a 10,000K (10MB) limitindependent of this setting. So even though iNotes allows for a larger attachment,the following two settings must be increased to a value larger than the iNotesmaximum attachment setting for users to be able to add attachments larger than10MB.

In the server or web site document, specify a value for these settings that is greaterthan the value in the iNotes Maximum attachment size field:v In the server document, modify Internet Protocols > HTTP > Maximum Size of

Request.v In the server or web site document, modify Internet Protocols > Domino Web

Engine > Maximum Post data.



Chapter 5. Specifying notes.ini file settings for iNotes

A number of notes.ini file settings are available, some also represented in policydocuments, to help you tune your configuration of IBM iNotes. This sectioncontains many of the notes.ini file settings for iNotes, but is not a comprehensivelist due to the fact that some have been replaced by settings in the serverconfiguration document.

Setting up type-aheadThe type-ahead feature in IBM iNotes uses the names of people to whom usershave recently sent email to populate a list of type-ahead names that display whena user is completing an address field that expects an email address. This featurecaches, in memory, a list of names that are used most frequently, and then displaysthose names at the beginning of the list.

About this task

Type-ahead is on by default. Optionally, use the notes.ini file settings described inthe related information to disable or to further define type-ahead.

Note: If you used the notes.ini file setting iNotes_WA_NameTypeahead oriNotes_WA_NameTypeaheadStartTimeout to set up type-ahead in previous versions ofIBM Domino, they are ignored in current releases of iNotes.

Note: The desktop policy setting Disable type-ahead for all names and use theNotes Basic type-ahead does not affect iNotes.Related information:

Changes to the Lotus iNotes type-ahead feature in 8.5.1

Using prefetch for documentsYou can set a notes.ini file variable so that the client loads the contents of eitherthe visible unread messages or all visible messages in an asynchronous mannerafter the view list is loaded.

About this task

Using prefetch for documents results in messages opening faster from the view,because the contents are not being loaded when the message is opened; rather,they have already been fetched and exist in the view.

Note that enabling this feature may have some bandwidth or server CPUconsumption tradeoffs. To enable this feature, use the notes.ini file settingiNotes_WA_PrefetchDocuments=value, where:

1 = fetch all unread documents shown in the mail view

2 = fetch all documents shown in the mail view


http://www-10.lotus.com/ldd/dominowiki.nsf/dx/changes-to-the-lotus-inotes-type-ahead-feature-in-8.5.1

Enabling Web-style searchTo search IBM iNotes using a Web-style query, enable the notes.ini file settingINOTES_WA_DISABLE_WEBSTYLE_SEARCH=1.

About this task

A Web-style search treats multiple terms as though the AND operator connectsthem. Documents that are returned have all the terms but not necessarily in theorder they were entered. Currently, the iNotes default style of search is equivalentto enclosing the terms within quotation marks so that a search returns documentswith an exact match of the words in the order they were entered in the searchfield. To search iNotes using a Web-style query, enable the notes.ini file settingINOTES_WA_DISABLE_WEBSTYLE_SEARCH=1.

Allowing users to take the Domino directory offlineYou can use a notes.ini file variable, $DOLSDirectoryCatalog, to set the name ofan IBM Domino directory that the user may take offline.

About this task

This setting makes a part of the interface visible in the user's preferences, givingusers the option of taking the server's directory catalog or Domino directoryoffline.

For example, if the notes.ini file contains $DolsDirectoryCatalog=dc.nsf, the usersees a new preference setting, Include server's Domino Directory. If the userenables this setting, the server's directory catalog is included among the files whenthe user goes offline.

Taking the directory catalog rather than the Domino directory offline improvesperformance and saves space on the user's disk drive.

Disabling the Active Content FilterUse the notes.ini file variable, iNotes_WA_DisableActCntSecurity, to disable theActive Content Filter. A setting of 1 disables the filter. Setting this variable to 0 (oromitting it from the server's notes.ini file) enables the filter.

About this task

The Active Content Filter is intended to remove potentially harmful active content(JavaScript, Java™, ActiveX) from HTML in mail messages prior to display in abrowser. Active content filtering can reduce server performance because it requiresa full parse of HTML content and a rewrite of the content.

Setting the level of automatic cache clearingIf you choose not to enable Browser Cache Management for the IBM Dominoserver, IBM iNotes tab of the Configuration Settings document, you can set thelevel of automatic cache clearing using the notes.ini file variableiNotes_WA_LogoutScrubType.


About this task

The format is:

iNotes_WA_LogoutScrubType=value

Related tasks:“Using browser cache management” on page 49Use browser cache management to improve client side performance and security ofIBM iNotes sessions on Internet Explorer by controlling which entries are stored inthe cache and which are removed when the iNotes session ends.

Redirecting users to a Web page after logoutAbout this task

Use the notes.ini file variable, iNotes_WA_LogoutRedirect, to specify a URL toredirect users to a Web page after logging out from server. The setting providesnormal cache clearing with the IBM iNotes control, and clearing of browsercredentials. This variable allows sites which have additional actions that need tohappen on a logout (such as logging out of a reverse proxy server) to specify aURL to do this additional activity. Or you can use this variable to return people toan initial login page. The format for this settings is iNotes_WA_LogoutRedirect=URL.For example:iNotes_WA_LogoutRedirect=http://www.ibm.com

Specifying the number of names to returnUse the notes.ini file setting, iNotes_WA_NameLookupMaxNumMatch=value to specifythe maximum number of names to return on name lookups.

About this task

The default is 200. You can reduce this number to improve server performance.

Using GZIP to improve iNotes performanceBy default, IBM iNotes uses compression, GZIP format, to reduce networkbandwidth consumption and provide better performance, particularly for userswith slow network connections. You can use the Compress HTTP response datasetting in the configuration settings document to enable or disable compression.Use the notes.ini file settings to turn GZIP compression on and off, and to specifythe types of content to compress.

About this task

After compression, iNotes generated pages are cached in the web server's pagecache, which also improves server performance. Use the Compress HTTP responsedata setting in the Other Settings section on the iNotes tab of the configurationsettings document to enable or disable compression by completing these step:

Procedure1. From the IBM Domino Administrator client, click Configuration > Servers.2. Select the server's configuration document and click Edit Configuration.3. Click the iNotes tab.

Chapter 5. Specifying notes.ini file settings for iNotes 55

4. In the Other Settings section, in the Compress HTTP response data field,select Enabled.

5. Click Save and Close.

iNotes_wa_GZIP_DisableAbout this task

Use this setting to turn compression on and off. The default is 0 (on). For example,to turn off compression:iNotes_wa_GZIP_Disable=1

iNotes_wa_GZIP_Content_Types_IncludedAbout this task

Use this setting to define which types of content you want to compress. Thedefault is:"text/*;application/*"

For example, to compress all text:iNotes_wa_GZIP_Content_Types_Included="text/*"

iNotes_wa_GZIP_Content_Types_ExcludedAbout this task

Use this setting to define which types of content you do not want compress. Thedefault is:"image/*;application/pdf"

For example, to exclude XML data so that it will not be compressed:iNotes_wa_GZIP_Content_Types_Excluded="image/*;text/xml"

Related tasks:“Specifying the number of names to return” on page 55Use the notes.ini file setting, iNotes_WA_NameLookupMaxNumMatch=value to specifythe maximum number of names to return on name lookups.

Enforcing two-digit years in a calendarAdministrators can enforce the use of two-digit years by disabling the Internationaldate settings preference available to users.

Procedure1. Open the notes.ini file.2. To disable the International date setting preference so that users will not be

able to choose between two- and four-digit dates, disable that preference asfollows:iNotes_WA_Prefer2DigitYearInView=0

Enabling days in work week calendar displayYou can enforce the display of a five-day work week, or allow IBM iNotes users todecide whether or not to display it.


Procedure1. Open the notes.ini file.2. Set iNotes_WA_CalViewWorkDays=0 to enforce a five-day work week to display,

with Saturday and Sunday as the weekend (default). This disables the days inthe work week in the Calendar Display preferences section. Set the value to 1to allow users to choose individual work days in the Calendar Displaypreferences.

Enabling or disabling the secondary calendarAdministrators can specify a notes.ini file setting to enable or disable the displayof a secondary calendar.

Procedure1. Open the notes.ini file.2. Set iNotes_WA_AltCalendar=1 to enable the Secondary calendar preference. The

secondary calendar will not be displayed in the Two Weeks and Monthcalendar views, and it is supported only in full mode. (It is not supportedinultra-light or classic mode). If enabled, users can choose to show a secondary,non-Gregorian calendar alongside their primary calendar. The secondarycalendar is displayed next to the day in the date header of each supportedcalendar view. As of version 8.5.2, only the Japanese Six Day (Rokuyo) andHebrew national calendars are supported.

Enabling a whitelist of acceptable file typesTo prevent direct opening of attachments that may contain harmful content, acontent-disposition header has been added that instructs the browser to save thefile attachment rather than opening it directly.

About this task

The downside of this is that attachments of known file types (jpg, pdf, and so on)that would have opened now requires additional steps for the customer. Awhitelist mechanism has been implemented using two notes.ini file variables toallow customers to specify file types that should not be prevented fromdownloading.v iNotes_WA_Sec_AttachCDHeader

– If set to 0, turns off the header setting.– If set to 1 (default), sets the header for all file types except those in the

whitelist, plus (if the user-agent indicates Mobile and Safari) .bmp, .gif, .jpg,and text, plus (if the user-agent indicates Mobile and Safari and Android) theextensions already listed, plus .csv, .doc, .pdf, .ppt, and .xls.

– If set to 2, sets the header for all file types except those in the whitelist. Thisallows device browsers to open the default file types in cases where either thenotes.ini value is set to 1, or is not set at all. In this case, both the defaultfour file types and those entered in the notes.ini file are used.

v iNotes_WA_Sec_AttachCDWhiteList Specifies a comma-delimited list ofattachment types to allow opening directly, for example,iNotes_WA_Sec_AttachCDWhiteList=jpg,pdf,gif


Using notes.ini file settings for iNotes in a mixed environmentThe following notes.ini file settings have been replaced by settings in theconfiguration settings document beginning with IBM Lotus Domino 7. To configureusers who have the DWA7, Mail8 or a later mail template, use the appropriatesettings on the iNotes tab of the configuration settings document instead of thesevariables.

About this task

Although you cannot use these notes.ini file settings beginning with Domino 7,they have not been obsoleted, and are still valid for users who have the iNotes6mail template. In a mixed environment in which both iNotes6 and DWA7 or latermail templates are used, the notes.ini file setting will apply to iNotes6 users, butthe corresponding configuration settings will override these notes.ini file settingsfor DWA7, Mail8, or later mail template users.

Table 15. Notes.ini file settings that have been replaced by Configuration Settings documentsettings

Notes.ini Setting Configuration Settings document field

iNotes_WA_Chat Instant Messaging features

iNotes_WA_LiveNames Online awareness

iNotes_WA_SametimeJavaConnect Prefer IBM Sametime Java Connect forbrowsers

iNotes_WA_NoLocalArchive Local Archiving

iNotes_WA_SametimeServer Set an Instant Messaging server hostnamefor all Domino Web Access users

iNotes_WA_SametimeToken Allow secrets and tokens authentication

Preventing users from acknowledging a request for a return receipt oniNotes incoming mail messages

Use a server notes.ini file parameter to show or suppress a prompt that lets theIBM iNotes client user choose whether to acknowledge a request for a returnreceipt on an incoming message.

About this task

If you do not set the notes.ini file parameter, a return receipt is sent when a userreceives a request for one.

Procedure

In the server's notes.ini file, set the iNotes_WA_SendReturnReceipt setting asexplained here:v iNotes_WA_SendReturnReceipt=2


Displays a prompt giving the iNotes user the choice whether to acknowledge arequest for a return receipt.

v iNotes_WA_SendReturnReceipt=1

Always sends a return receipt; does not offer the user a choice.v iNotes_WA_SendReturnReceipt=0

Never sends a return receipt; does not offer the user a choice.



Chapter 6. Monitoring and Maintaining

Administrators can monitor user activity of IBM iNotes users and rename userswhen needed.

Monitoring iNotes activityYou can determine the number of active IBM iNotes users on a system and logiNotes request information. To monitor this activity, set up activity logging toinclude iNotes.

Procedure1. From the IBM Domino Administrator, open the configuration settings document

for the Domino server.2. Click Activity Logging.3. For the field Activity Logging is Enabled, check Yes.4. Under Server Activity Logging Configuration, check Domino.DWA.Request.

Activity Log InformationAbout this task

iNotes activity logging records include such information as the name of the iNotesserver, the name of the user accessing the server, the iNotes request, the number ofbytes returned as a result of the request, the amount of time it took to process therequest, and the date on which the request occurred.

Complete these steps to analyze iNotes activity:

Procedure1. From the Domino Administrator, click Analyze Server Activity.2. Under Analysis, click Analyze > Activity.3. Under Server activity types to search for, select Domino - DWA - request, and

then click Add.Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Renaming an iNotes userYou rename an IBM iNotes user who has an iNotes ID and an IBM Notes certifiedpublic key located in their person document in the Domino Directory the sameway you rename a Notes user.

About this task

In iNotes, however, after a rename has been initiated, users must access their NotesIDs to complete the process. Depending on whether the user's mail file has animported copy of their Notes ID, users can do one of two things to access theirNotes ID, which will then complete the rename process:


v User mail file has an imported copy of a Notes ID -- If the user's iNotes mail filecontains an imported copy of their Notes ID, the user can either decrypt anencrypted message, or send an encrypted message to complete the renameprocess.

v User mail file does not have an imported copy of a Notes ID -- If the user'siNotes mail file does not contain an imported copy of their Notes ID, the usercan either import one, which is required for using iNotes secure mail features, orthe user can access the Notes ID using an Notes client.

Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Using GZIP to improve iNotes performanceBy default, IBM iNotes uses compression, GZIP format, to reduce networkbandwidth consumption and provide better performance, particularly for userswith slow network connections. You can use the Compress HTTP response datasetting in the configuration settings document to enable or disable compression.Use the notes.ini file settings to turn GZIP compression on and off, and to specifythe types of content to compress.

About this task

After compression, iNotes generated pages are cached in the web server's pagecache, which also improves server performance. Use the Compress HTTP responsedata setting in the Other Settings section on the iNotes tab of the configurationsettings document to enable or disable compression by completing these step:

Procedure1. From the IBM Domino Administrator client, click Configuration > Servers.2. Select the server's configuration document and click Edit Configuration.3. Click the iNotes tab.4. In the Other Settings section, in the Compress HTTP response data field,

select Enabled.5. Click Save and Close.

iNotes_wa_GZIP_DisableAbout this task

Use this setting to turn compression on and off. The default is 0 (on). For example,to turn off compression:iNotes_wa_GZIP_Disable=1

iNotes_wa_GZIP_Content_Types_IncludedAbout this task

Use this setting to define which types of content you want to compress. Thedefault is:"text/*;application/*"

For example, to compress all text:


iNotes_wa_GZIP_Content_Types_Included="text/*"

iNotes_wa_GZIP_Content_Types_ExcludedAbout this task

Use this setting to define which types of content you do not want compress. Thedefault is:"image/*;application/pdf"

For example, to exclude XML data so that it will not be compressed:iNotes_wa_GZIP_Content_Types_Excluded="image/*;text/xml"

Related tasks:“Specifying the number of names to return” on page 55Use the notes.ini file setting, iNotes_WA_NameLookupMaxNumMatch=value to specifythe maximum number of names to return on name lookups.

Notes.ini file settings used when integrating iNotes with IBM DocsThere are several notes.ini file settings that correspond to the settings on the mailpolicy settings document, IBM Docs Integration section. When configuring IBMiNotes integration with IBM Docs, these notes.ini file settings override thecorresponding settings in the mail policy setting document. To set up iNotes andIBM Docs integration, use the steps in the procedure Integrating iNotes with IBMDocs.

Procedure

You can use these notes.ini file settings when integrating iNotes with IBM Docs.The preferred way to configure iNotes and IBM Docs is by using the mail policysettings document, IBM Docs Integration section, but you can choose to use thenotes.ini file settings instead.

Table 16. Notes.ini file settings that override mail policy settings for integrating iNotes withIBM Docs

Notes.ini file setting Description

iNotes_WA_DocsEnabled Default = 1. When set to 1, iNotesintegration with IBM Docs is enabled. Todisable integration, set to 0.

iNotes_WA_DOcsServer The URL that points to the server on whichIBM Docs is installed. For example,http://docs.mycompany.com

iNotes_WA_ViewableFileTypes The supported document file types thatusers are allowed to view with IBM Docs.The supported document types are xls, odt,xlsx, docx, pptx, ods, odp, pdf, and ppt.

Chapter 6. Monitoring and Maintaining 63

Related tasks:“Integrating iNotes with IBM Docs” on page 79Provide IBM iNotes users the ability to view documents with IBM Docs. You canallow users to view all supported document file types or you can specify which ofthe supported file types users are allowed to view with IBM Docs.

Notes.ini file settings used when integrating iNotes with ConnectionsFiles

There are several notes.ini file settings that correspond to the settings on the mailpolicy settings document, Connection Files Integration section. When configuringIBM iNotes integration with IBM Connections, these notes.ini file settingsoverride the corresponding settings in the mail policy settings document. To set upiNotes and Connections integration, use the steps in the procedure IntegratingiNotes with Connections files.

Procedure

You can use these notes.ini file settings when integrating iNotes withConnections Files. The preferred way to configure iNotes and Connections is byusing the mail policy settings document, Connection Files Integration section, butyou can choose to use the notes.ini file settings instead.

Table 17. Notes.ini file settings that override mail policy settings for integrating iNotes withConnections


iNotes_WA_FilesInteg Default = 0. When set to 1, iNotesintegration with Connections files isenabled. To disable integration, set to0.

iNotes_WA_FilesServer URL that points to the filescomponent installation, not theConnections installation. Forexample, enter http://mycompany.com/files

iNotes_WA_Files_ShareOnSend_Disable Default = 1. When set to 1, links inan outgoing email that point to filesstored in Connections are sharedwith recipients, when possible.

When set to 0, sending shared files isdisabled. The sender must thenmanually share the linked files inConnections with the recipients;however, it will reduce the load onthe Connections server when allrecipients do not need access to thefile.


Table 17. Notes.ini file settings that override mail policy settings for integrating iNotes withConnections (continued)


iNotes_WA_Files_ShareOnSend_MaxGroupSize Default = 100. Maximum group sizefor sharing linked files. By default,linked files are only shared withgroups of 100 or fewer members.Sharing linked files with largegroups of recipients is inefficient. Inthe case of a large group, it is betterto put the file in a Connectionscommunity or in a folder withshared access. Use this setting tochange the default group size limit.This limit only applies to privategroups if the delivery option is set toDo not expand personal groups andthat group has not been expandedearlier in the session.

iNotes_WA_Files_ShareOnSend_NewFwdLinksOnly Default = 1. To share files in a sentemail that are newly linked orforwarded but not replied to, acceptthe default setting of 1. To disablethe setting, set to 0.

Related tasks:“Integrating Connections files with iNotes” on page 77You can make file sharing easier for IBM iNotes users by specifying mail policysettings that save network resources and improve efficiency by integrating iNoteswith IBM Connections files. As an alternative to sending attachments, users caninsert links to files that have been uploaded to Connections. Where possible, thefiles that are being linked to are shared with the recipients at send time. Users canupload received attachments to Connections Files and then remove the attachmentfrom the email and replace it with a link to the newly uploaded file to save spaceit their mail file. Connections 3.6 and more recent versions are supported forintegration with iNotes.

Chapter 6. Monitoring and Maintaining 65


Chapter 7. Integrating with other applications

IBM iNotes can be integrated with IBM Sametime, IBM Quickr, IBM Docs and IBMConnections.

Setting up Quickr integration with iNotesIBM Quickr has been integrated with IBM iNotes.

About this task

To enable and set up iNotes integration with Quickr, perform these tasks:v Enable Quickr integrationv Set up an HTTP-proxy servletv Enable session-based authenticationv Specify a list of user-friendly servers to display in user preferences

Enable Quickr integrationAbout this task

To enable this feature, use the mail policy setting Allow Quickr Integration, on theiNotes - Configuration tab of the mail policy settings document.

If you want to enable or disable this feature temporarily on a trial basis, you canuse the notes.ini file setting iNotes_WA_Quickr=1 to enable it server-wide, oriNotes_WA_Quickr=0 to disable it server-wide. This notes.ini file setting overridesany policy setting.

Set up an HTTP-proxy servletAbout this task

Set up an HTTP-proxy servlet to specify a list of allowed sites. To set up theHTTP-proxy servlet, edit the security policy settings document and provide theinformation on the Proxies tab. If the Quickr server is in the same SSO domain asthe IBM Domino server, then an LTPA token should also be included in the list ofallowed cookies. For information on setting up an HTTP-proxy servlet, see thetopic Using an HTTP-proxy Servlet to restrict URLs to external servers.

Note: If you used a proxy-config.properties file to specify allowed sites in aprevious release, you must set up a security policy instead. Theproxy-config.properties file is no longer supported.

Set up session-based authenticationProcedure

To use Quickr integration features in iNotes, enable session-based authenticationusing either single-server or multi-server authentication, also known as singlesign-on or SSO, for your Domino mail server. If you configure your Domino serverfor SSO and the Quickr servers that you are connecting to are in the same domain,make sure the LTPA token is listed in the proxies tab of the security policy settings,


as mentioned previously. If the Quickr server is not in the same domain, users areprompted for each session to authenticate with the servers they are connecting to.

Specify user-friendly names for URLsAbout this task

To make it easier for users to add a place, you can use the Proxy servletname/URL pairs mail policy setting to specify a list of Quickr servers and assignuser-friendly names for the servers. The user-friendly names then display in theuser preferences for Quickr. When a user browses to add a place, they can browsefor places by selecting from a list of user-friendly names, rather than URLs. Foradditional information on setting mail policy settings, see the topic Creating mailpolicy settings for iNotes users.

When browsing the Quickr servers, the list of feeds returned from Quickr islimited to 50 by default due to performance considerations. To change the defaultnumber of feeds allowed, use the notes.ini file settingiNotes_WA_Quickr_Feed_Page_Size and specify the number of feeds to return in theserver's notes.ini file.

User notesAbout this task

iNotes supports these user tasks:v Adding a Quickr place using Quickr user preferencesv Inserting a Quickr link into messagesv Viewing Quickr links in messages sent to themv Saving an attachment in mail they receive to a Quickr place or to a folder in a

placev Replacing an attachment in a received message with a Quickr linkv Renaming uploaded files if there is a name conflict on a serverv Page through long place listings

If you have Quickr Connectors installed, iNotes does not support the connector'spreferences and place settings. To use those place settings in iNotes, you mustconfigure them using preferences.Related tasks:“Using an HTTP-proxy servlet to restrict URLs to external servers” on page 15For IBM iNotes features that send requests either to external servers for externalcalendar overlays or to Web services (IBM Quickr integration), you must configurean HTTP-proxy servlet to intercept calls and retrieve information from a remotesite.

Setting up iNotes with SametimeIBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.


About this task

The instant messaging awareness feature also displays online status next to thenames of people in mail messages, views and folders. In addition, Webconferencing capabilities are available if your organization purchased IBMSametime.

To access the Sametime server using a protocol that is different from the currentWeb page's protocol, use the notes.ini file setting iNotes_WA_SametimeProtocol.

Use these installation instructions to install and set up Sametime for iNotes.

For information about installing Sametime, see the Sametime productdocumentation and wiki.

Set up iNotes on a Domino serverProcedure1. Set up iNotes on a server by making the appropriate selections during server

setup.2. Register users with the latest version mail template, for example, mail85.ntf.

Set up the Sametime serverAbout this task

The Sametime server should be in the same Domino domain as the iNotes server.

Procedure1. Install and configure instant messaging on a dedicated Domino server in the

same Domino domain as the iNotes server.2. If the Sametime server is in a different domain than your iNotes server, follow

the instructions in the procedure Setting up Sametime and iNotes in differentdomains.

3. Make sure the Sametime server is functioning properly before proceeding. Ifyou have multiple Sametime servers in a single community, make sure thatDomino single sign-on (SSO) is functioning properly between the servers.

Create connection documentsAbout this task

Create connection documents for the iNotes and Sametime servers if the Sametimeserver is not in the same domain as the iNotes server. If the Sametime server is inthe same domain as the iNotes server, but is not clustered with the registrationserver, create a connection document to replicate the Domino directory.

Create connection documents and include the following information.

Procedure1. On the iNotes server, complete these steps:

a. Enter the Sametime server's name in the Destination server field. Forexample: Sametime/Renovation.

b. Enter the iNotes server's name in the Source domain field.c. Enter the Sametime server's name in the Destination domain field.

Chapter 7. Integrating with other applications 69

2. On the Sametime server, complete these steps:a. Enter the iNotes server's name in the Destination server field.b. Enter the Sametime server's name in the Source domain field.c. Enter the iNotes server's name in the Destination domain field.

Specify the Sametime server for iNotes usersAbout this task

There are two ways to specify a Sametime server for iNotes users:v To enable instant messaging and set the Sametime server for all iNotes users at

one time, use the instant messaging settings in the configuration settingsdocument, IBM iNotes tab. Then users can enable or disable instant messagingby setting a user preference.

v If you do not enable instant messaging for all users, edit the person documentfor each user who will use instant messaging, as detailed this procedure.

Procedure1. From the Domino Administrator, click the People & Groups tab.2. Select the IBM iNotes Domino directory, then click People.3. Double-click a name to open the user's person document.4. Click Edit.5. Enter the name of the Sametime server in the Sametime server field.6. Click Save & Close.7. Repeat Steps 3 though 6 for each user.

Set up the Instant Contact List in iNotesAbout this task

iNotes has its own contact list that replaces Sametime Connect for browsers. Usethese steps to set up the iNotes contact list.

Procedure1. Configure Java servlet support by completing these steps:

a. From the Domino Administrator client, open the server document for theiNotes server in edit mode.

b. Click the Internet Protocols - Domino Web Engine tab.c. In the Java Servlets section, Java servlet support field, select Domino

Servlet Manager from the list.d. Save and close the document, and then restart the server.

2. Edit the Sametime configuration file by completing these steps:a. Open the Sametime Configuration application, stconfig.nsf, on the

Sametime server.b. From the By Form view, open the Community Connectivity document.c. Add the IP address of the iNotes server to the Community Trusted IPs

field.d. Save and close the document and restart the Sametime server.

3. Edit the servlet configuration file by completing these steps:


a. Create a text file in the data directory on the iNotes server calledservlets.properties that includes this line:servlet.DWABuddyList.code=com.lotus.dwa.stbuddy.DWABuddyList

b. If you are using reverse proxy servers in your environment, you may needto add the following line with the fully-qualified domain name or IPaddress of the Sametime server in the servlet.properties file:servlet.DWABuddyList.initArgs=stserver=sametime.company.com

Set up Domino Web SSO authentication between the iNotesserver and IM server

About this task

Domino single sign-on (SSO) authentication allows Web users to log in once to aDomino WebSphere® Application Server, and then access any other Domino orWebSphere Application Server in the same DNS domain that is enabled for singlesign-on (SSO) without having to log in again. In a multiple server environment, itis possible that one or more servers in your Domino domain are alreadyconfigured for Domino SSO, and the Domino Directory already contains a DominoWeb SSO configuration document. When you install Sametime, it creates a WebSSO configuration document called LtpaToken unless one already exists in theDomino directory. If an LtpaToken configuration document already exists,Sametime does not attempt to alter it.

If your iNotes server is not configured for Web SSO, and you want to use the WebSSO document that Sametime created to configure it, complete the steps in thissection:

Configure the iNotes server for Web SSO by completing these steps:1. Ensure that the Domino Directory has replicated throughout the Domino

domain since you installed Sametime.2. Update the Web SSO Configuration document, LtpaToken, that was created

when you installed Sametime:a. Open the Domino Directory and select the Configurations > Web > Web

Configurations view.b. From within this view, expand the list of Web SSO Configurations.c. Open the Web SSO Configuration for LtpaToken document in edit mode.

Note: If you are unable to edit the document, record the settings in thedocument, and then delete it and create a new one.

3. Update these fields if necessary:v Domino Server Names -- make sure this field contains the name of all of the

iNotes servers and Sametime servers that should participate in SingleSign-on.

v DNS Domain -- make sure this is the fully-qualified domain name of theiNotes and Sametime server.

4. Click Save & Close.5. Enable single sign-on and basic authentication in the Server document for the

iNotes server. When you update the Web SSO Configuration field, selectLtpaToken from the list.

6. Ensure that the updates replicate to all of the servers in the domain.


If your iNotes server is already configured for Domino Web SSO, update iNotesserver Web SSO configuration by completing these steps. You must add theSametime server to your configuration:1. Update your existing Domino Web SSO Configuration document, LtpaToken.2. Update the Server document for the Sametime server.3. Ensure that the updates replicate to all of the servers in the domain.

Although Domino SSO is the preferred authentication method, you can continue touse secrets and tokens authentication databases, if you are already using them. Forexample, if any server in your domain is configured for something other thanmultiple server SSO, for example, single server SSO, you must use secrets andtokens authentication.

Verify that instant messaging works with iNotesAbout this task

If the instant messaging status does not appear next to the Welcome username textin iNotes, check the user's Person document in the Domino directory. If youconfigured the Sametime server by populating this document, make sure theSametime server field is correct. See the Basics tab, Real-Time Collaborationsection.

Procedure1. Make sure that replication is complete, the person documents exist on the

Sametime server, and the updated Web SSO document, LtpaToken, exists on allof the servers that will participate in single sign-on.

2. Verify that instant messaging is working properly before testing it with iNotesclients.

3. Launch iNotes in a browser. In any view or document in which onlineawareness appears, click the Active status icon of the person you want to chatwith to test the instant messaging connection.


Related concepts:“Setting up iNotes on a server” on page 11IBM iNotes provides IBM Notes users with browser-based access to Notes mail, aswell as Notes calendar and scheduling features. Using iNotes, a user can send andreceive mail, view the calendar, invite people to meetings, create to do lists, keep anotebook, and work off line.“Using Domino Off-Line Services (DOLS) and iNotes” on page 12To provide IBM iNotes users with the ability to work off line, enable IBM DominoOff-Line Services (DOLS) when you set up the server. DOLS enables users to workoff line, disconnected from a network, and provides many replication features thatIBM Notes users expect when working in the Notes client.Related tasks:Chapter 4, “Editing the configuration settings document for iNotes,” on page 39Many of the features you enable using the configuration settings document canalso be configured using policies.“Setting up Secrets and Tokens authentication for instant messaging in iNotes” onpage 74If you want to use Secrets and Tokens authentication databases for your instantmessaging security instead of IBM Domino Single Sign-On (SSO) Authentication,you must create a one-time replica of the Tokens database on the IBM iNotesserver.“Setting up Sametime and iNotes in different domains”You can set up a cross-domain configuration when the IBM Sametime server andthe IBM iNotes server are located in different domains.Related information:

IBM Sametime wiki

Can Sametime work with Internet Sites enabled?

Setting up Sametime and iNotes in different domainsYou can set up a cross-domain configuration when the IBM Sametime server andthe IBM iNotes server are located in different domains.

Procedure1. Cross certify both domains with each other. This step is necessary only if the

Sametime server uses IBM Domino authentication instead of LDAP.2. Configure directory assistance on the Sametime server as needed:

v If Sametime uses native Domino authentication, then directory assistancemust point to the iNotes server, using the IBM Notes protocol instead ofLDAP.

v If Sametime was installed to use LDAP, then directory assistance isconfigured automatically, and nothing further is necessary.

3. If you have set up single sign on (SSO), go to Step 4. If you do not have SSOset up, replicate STAuthS.nsf to the iNotes server. The file name is casesensitive on Unix servers.

4. Create a server document for the Sametime server in the Domino Directory ofthe iNotes server, completing the following fields:v Server namev Domain namev Fully qualified Internet host namev Is this a Sametime server?


http://www-10.lotus.com/ldd/stwiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

http://www-01.ibm.com/support/docview.wss?rs=203&uid=swg21157740

5. Enter the Sametime server name in the Sametime Server field of each iNotesuser's Person document.

Note: You can specify the Sametime server name in the server configurationdocument to globally set the Sametime server for all users. Use the Set an IBMSametime Server host name for all IBM iNotes users (useful for clusteredconfigurations) field.

Related tasks:“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.“Troubleshooting Sametime in iNotes” on page 75If instant messaging icons do not display in IBM iNotes mail and the contact list,you look for causes.

Setting up Secrets and Tokens authentication for instantmessaging in iNotes

If you want to use Secrets and Tokens authentication databases for your instantmessaging security instead of IBM Domino Single Sign-On (SSO) Authentication,you must create a one-time replica of the Tokens database on the IBM iNotesserver.

About this task

Because file names are case sensitive on UNIX, the Secrets database name used inthis example must be entered exactly as STAuthS.nsf.

After you have replicated stauths.nsf from your IBM Sametime server to yourDomino server, open the Replication Settings dialog box for the database, clickOther, and enable the setting Temporarily disable replication for this replica. Thiswill prevent another version of the database from a Microsoft Windows systemfrom overwriting the name change for the UNIX server.

To replicate stauths.nsf from the Sametime server to the Domino server directory,do the following:

Procedure1. Using an IBM Notes client, click File > Open > Notes Application.2. Enter the name of the Sametime server, for example, Sametime/Renovations.3. Enter the Secrets database filename: stauths.nsf4. Click Open.5. Choose FileReplicationNew replica.6. Enter the name of the Domino server, for example, iNotes/Renovations.7. Ensure that the database is replicated to the data directory:

...\domino\data\stauths.nsf.8. Click OK to create the replica.


Related tasks:“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.

Using iNotes with Sametime and the Sametime proxy serverThe IBM Domino 8.5.4 release requires at least IBM Sametime Proxy server version8.5.2 IFR1.

The Domino 8.5.3 release provided an update to the Sametime Proxy Server that isneeded if you want to benefit from the Sametime Proxy Server Web 2.0 experiencein IBM iNotes. This update requires at least Sametime version 8.5.2.

The Sametime Proxy Server provides iNotes clients with an updated, feature-rich,contact list and chat interface and eliminates the need for a JVM on the client forthese services. The Sametime Proxy Server is a self-contained IBM WebSphereApplication Server application that can easily be added to an existingiNotes/Sametime deployment with minimal configuration changes. To manage theSametime infrastructure, deploy the Sametime System Console.

For a new deployment, a minimum of three servers must be installed, one each for:iNotes, Sametime, and Sametime Proxy.

To configure iNotes integration with the Sametime Proxy server, complete thesesteps:1. From the IBM Domino Administrator, click the Configuration tab and expand

the Server or Messaging section.2. Click Configurations.3. Select the Configuration Settings document for the IBM iNotes mail server(s) and

click Edit Configuration.4. Select the iNotes tab.5. In the Instant Messaging section, Instant Messaging Features field, select

Sametime Web Client Integration.6. In the Directory type used by Sametime server field, select the directory type

you chose during Sametime server setup and installation.7. (Optional) In the Location of the Sametime proxy server to use when using

http: field, enter the fully qualified HTTP server name, a colon (:) andoptionally,the port number to use when logged into iNotes using HTTP.For example, enter http://server.domain.com:9080

8. (Optional) In the Location of the Sametime proxy server to use when usinghttps: field, enter the fully qualified HTTPs server name, a colon (:) andoptionally the port number to use when logged into iNotes using HTTPS.For example, enter https://server.domain.com:9443

9. Save and close the document.

Troubleshooting Sametime in iNotesIf instant messaging icons do not display in IBM iNotes mail and the contact list,you look for causes.


About this task

Check the following:v The IBM Sametime server is running.v All the ST**** services are running. Check the control panel - services; all ST****

services should be running when the Sametime server has fully started. If thereare ST**** services not running, start STCommunity server first. If this servicecannot be started, check the network connections and the Sametime server logfile.

v Make sure the user has enabled Instant Messaging in Preferences.v Make sure the user's Person document has been set up with the Sametime server

names.v Use the http:// protocol only for the Sametime server.

To identify the current Sametime server versionAbout this task

The instant messaging integration features rely on the ability of the browser todirectly communicate with the Sametime server. This means that the fully-qualifiedInternet hostname of the Sametime server must be resolvable from the browser, forexample, the fully qualified Internet hostname for an IBM Domino server namedIM/Renovations might be im.renovations.com.

Therefore, either DNS must be able to resolve this address or it must be resolvedto the proper IP address by some other mechanism, such as editing the localoperating system's hosts file.

Procedure1. If the Sametime server is running on a Microsoft Windows platform, type the

following URL:http://Sametime server hostname/stcenter.nsf

To avoid case sensitive issues on other platforms, search for the file underSametime server directory/stcenter.nsf and use the file name case as shownthere.

2. Click Administer the Server.3. Login to Instant Messaging, and then click Help > About Sametime.


Related concepts:“Setting up iNotes on a server” on page 11IBM iNotes provides IBM Notes users with browser-based access to Notes mail, aswell as Notes calendar and scheduling features. Using iNotes, a user can send andreceive mail, view the calendar, invite people to meetings, create to do lists, keep anotebook, and work off line.Related tasks:“Setting up Secrets and Tokens authentication for instant messaging in iNotes” onpage 74If you want to use Secrets and Tokens authentication databases for your instantmessaging security instead of IBM Domino Single Sign-On (SSO) Authentication,you must create a one-time replica of the Tokens database on the IBM iNotesserver.“Setting up iNotes with Sametime” on page 68IBM iNotes integrates an instant messaging (IM) capability so that users can chatwith others online and maintain an instant messaging list that shows the onlinestatus of others.

Integrating Connections files with iNotesYou can make file sharing easier for IBM iNotes users by specifying mail policysettings that save network resources and improve efficiency by integrating iNoteswith IBM Connections files. As an alternative to sending attachments, users caninsert links to files that have been uploaded to Connections. Where possible, thefiles that are being linked to are shared with the recipients at send time. Users canupload received attachments to Connections Files and then remove the attachmentfrom the email and replace it with a link to the newly uploaded file to save spaceit their mail file. Connections 3.6 and more recent versions are supported forintegration with iNotes.

Before you begin1. Configure Connections for your environment.2. Set up SSO between the Connections server and the IBM Domino server. SSO is

not required but it allows users to log in to iNotes and Connections with onelogon.

3. Configure the Connections server to display email addresses.

About this task

If you specify notes.ini file settings that correspond to the settings on the mailpolicy settings document, Connection Files Integration section, the mail policysettings are overridden by the corresponding notes.ini file settings.

Procedure1. From the mail policy settings document, click IBM iNotes, and then click

Configuration.2. In the Connection Files Integration section, in the Allow Files Integration

field, accept the default setting of Enable.3. In the URL to Connections Files service field, enter the URL for the

Connection Files service.

Note: This URL must point to the URL of just the Files service, not the overallConnections installation.


For example, enter http://mycompany.com/connections/files

Note: Change the default settings in steps 4- 6 only if necessary.4. In the Enable sharing linked files in mail field, accept the default of True.

Linked files are automatically shared with the email recipients. When thissetting is False, the sender must manually share the linked files in Connectionswith the recipients; however, it will reduce the load on the Connections serverwhen all recipients do not need access to the file.

5. In Maximum group size for sharing linked files field, enter the maximum groupsize for sharing linked files. By default, linked files are only shared withgroups of 100 or fewer members. Sharing linked files with large groups ofrecipients is inefficient. In the case of a large group, it is better to put the file ina Community or to put in a folder with shared access.

Note: This limit only applies to private groups if the delivery option is set toDo not expand personal groups and that group has not been expanded earlierin the session.

6. In the When replying to an email containing links to Files, only share linkedfiles in the newly added part of the thread field, accept the default of False.Changing the setting to True, reduces the load on the Connections server forlong email threads. However, if a user replies to a thread containing a link to afile in Connections Files and adds a new recipient to the thread, the newrecipient is not given access to the file. This setting only applies to emails beingreplied to, not forwarded, since it is likely that the file has already been sharedwith recipients earlier in the thread. For forwarded emails, there are newrecipients who are less likely to have access to the file.

7. Complete these steps to designate the proxy settings in the security policysettings document:a. From the security policy settings document, click Proxies. In the Add white

list rule for proxy servlets field, click Edit List. The White list rule to addor modify fields display.

b. In the Context field, enter /xsp/proxy/LcFilesProxy/

c. In the Actions field, enter HEAD, GET, POST, PUT.

Note: By default, PUT is not enabled on the Domino server. If Internetconfigurations are being loaded from Server or Internet Sites documents,enable PUT from within the Allowed Methods section of the Configurationtab of the Internet site document. If you are not using Internet Sitesdocuments, then enter this NOTES.INI file setting: HTTPEnableMethods=PUT

d. In the Headers field, enter * (an asterisk).e. In the MIME Types field, enter * (an asterisk).f. In the Cookies field, if you are using SSO, be sure to include either

LtpaToken or LtpaToken2. If you are not using SSO, do not enter anything.g. Click Add/Modify Value. The Context and URL values are added to the

Add these white-list rules for proxy servlets field. Click OK.h. If you are not using SSO, repeat steps 7.b - 7.h using the same Connections

URL but with https instead of http for use with the Connections logindialog. The easiest way to repeat these steps is to click Add/Modify Valueand modify the URL you just added. Modifying the URL creates a new rulebut does not change the existing rule.

i. Click Save and Close.


8. If any of the URLs specified in step 7 use SSL with a self-signed certificate,import them into the Domino Directory and cross-certify them so that they aretrusted.

Related tasks:“Creating security policy settings for iNotes users” on page 31To create or enforce security settings for IBM iNotes users, you must create asecurity policy settings document.“Using an HTTP-proxy servlet to restrict URLs to external servers” on page 15For IBM iNotes features that send requests either to external servers for externalcalendar overlays or to Web services (IBM Quickr integration), you must configurean HTTP-proxy servlet to intercept calls and retrieve information from a remotesite.“Notes.ini file settings used when integrating iNotes with Connections Files” onpage 64There are several notes.ini file settings that correspond to the settings on the mailpolicy settings document, Connection Files Integration section. When configuringIBM iNotes integration with IBM Connections, these notes.ini file settingsoverride the corresponding settings in the mail policy settings document. To set upiNotes and Connections integration, use the steps in the procedure IntegratingiNotes with Connections files.Related information:

Notes and Domino wiki

Integrating iNotes with IBM DocsProvide IBM iNotes users the ability to view documents with IBM Docs. You canallow users to view all supported document file types or you can specify which ofthe supported file types users are allowed to view with IBM Docs.

Before you begin

Set up SSO between the IBM Domino server, the IBM Connections server, and theIBM Docs server.

About this task

If you specify notes.ini file settings that correspond to the settings on the mailpolicy settings document, IBM Docs Integration section, the mail policy settings areoverridden by the corresponding notes.ini file settings. The correspondingnotes.ini file settings are described here in the notes.ini settings topic. Be carefulnot to unintentionally override the settings in the mail policy settings document.

Procedure1. From the mail policy settings document, click IBM iNotes, and then click

Configuration.2. In the IBM Docs Integration section, in the Allow IBM Docs Integration field,

click Enable.3. In the URL to IBM Docs service field, enter the URL that points to the

server on which IBM Docs is installed.4. In the Viewable file types field, select the types of files viewable to the

user. Use this setting to control the types of files that can be viewed in IBMDocs. The default is to leave this field blank, allowing users to view all filetypes that IBM Docs can handle. If a file type is selected, users can view that


http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewCategories.xsp?lookupName=Product%20Documentation

file type; if a file type is not selected, users cannot view files of that type. Youcan manually add other file types that are supported by IBM Docs.

Table 18. Viewable file types and their descriptions

File Type Description

ots (Not yet supported) IBM Symphony® spreadsheet template

xls Microsoft Excel

odt IBM Symphony documents

xlsx Microsoft Excel

docx Microsoft Word

ott (Not yet supported) IBM Symphony document template

pptx Microsoft PowerPoint

ods IBM Symphony spreadsheets

otp (Not yet supported) IBM Symphony presentation template

odp IBM Symphony presentation

ppt Microsoft PowerPoint

csv (Not yet supported) Comma separated value file of exported MicrosoftOutlook contact names in ASCII format with .csv filename extension.

doc Microsoft Word

pdf Adobe Reader

5. Click Save and Close.6. Complete these steps to designate the proxy settings in the security policy

settings document:a. From the security policy settings document, click Proxies. In the Add white

list rule for proxy servlets field, click Edit List. The White list rule to addor modify fields display.

b. In the Context field, enter /xsp/proxy/ViewerProxy/

c. In the URL field, enter the URL pointing to the IBM DOCs server.1) If you entered an https: URL, import the Connections certificate into

Domino JVM CACERTS file by entering this command from the systemprompt:keytool - import -file location of certificate file -trustcacerts-alias friendly name to identify the certificate -keystore dominoinstall dir\jvm\lib\security\cacerts

For example, enter C:\Domino\jvm\bin>keytool -import -file c:\temp\connections.swg.usma.ibm.com.der -trustcacerts -aliasconnectionsSWG -keystore C:\Domino\jvm\lib\ security\cacerts

The default password is changeit

d. Click Add/Modify Value. The Context and URL values are added to theAdd these white-list rules for proxy servlets field.

e. In the Actions field, specify any combination of GET, POST, and HEAD.f. In the Cookies field, enter * (asterisk).g. In the Mime Types field, enter * (asterisk).h. In the Headers field, enter * (asterisk).i. Click OK.j. Click Save and Close.


Chapter 8. Customizing iNotes

Once IBM iNotes has been installed and configured, you can customize yourimplementation in the following ways:

Customizing the look of iNotesYou can customize the look and behavior of IBM iNotes by creating an extensionforms file that has several customization points built in for you. The default nameof the extension forms file is Forms85_x.nsf, but you can use a file name of yourchoice.

About this task

Once the extension forms file is created, you can edit the forms file using IBMDomino Designer to customize iNotes.

Note: Multiple extension forms files are not supported on a single IBM Dominoserver.

The extension forms file contains these subforms you can use to customize iNotes:v Custom_Common_Utils -- to add functions that will be called from Custom_JSv Custom_CSS -- to add new CSS stylesv Custom_JS -- contains callback functions you can use to add or remove action

bar items, add additional code when pages are displayed or submitted. Used forolder "classic" architecture forms. Most of the code uses the newer forms,however there are a few of the older forms still in use.)

v Custom_JS_Edit -- to add more fonts to the rich text editorv Custom_Masthead -- to add a masthead to all pagesv Custom_Name_Lite - the code for Korean name display formatv Custom_Page_Dictionary -- to add new variable values for use with the

Custom_CSS subformv Custom_WelcomePage -- to add more choices for the end user's Welcome Pagev Custom_Page_Dictionary -to add NotesVars which are available for use in the

Custom_CSS subformv Custom_xxx_Dictionary subforms - These new custom dictionary subforms have

been added to each main area form, Mail, Calendar, ToDo, etc., to allow easierinclusion of new NotesFields and NotesVars

v Custom_LazyLoad_Subforms - to add customization code to the lazy load tablev Custom_Logout - to add customization code to be run on logoutv Custom_About - to display the forms file version and a user-specified file

version number. The version numbers are displayed in the iNotes console logwhen iNotes starts up.

v Custom_SessionInfo - to add items to the iNotes session info object.


Creating an extension forms fileProcedure1. From Domino Designer or the IBM Notes client, select File > Application >

New.2. Under Specify New Application Name and Location, select your Domino

server.3. For File name enter Forms85_x.nsf and locate it in the iNotes directory under

the Domino data directory.4. Under Specify Template for New Application, select your Domino server.5. Select Show advanced templates.6. Select the iNotes Extension Forms (8.5) template (Forms85_x.ntf).7. Select Inherit future design changes to pick up any new customization forms

and subforms from future versions of the template. Existing forms andsubforms are not overwritten.

Modifying the iNotes common forms fileAbout this task

Use this process any time you modify the Forms85_x.nsf file.

Procedure1. Copy Forms85_x.nsf to a temporary directory.2. Make changes to the forms as desired in the temporary copy of the Forms85_x

file.3. Flush the Domino server database cache using the dbc f server command.4. Copy the Forms85_x file back to the iNotes directory under the Domino data

directory.5. Stop and restart the HTTP process on the server using the tell http restart

server command.6. Clear the browser cache.7. Test the changes.Related tasks:“Using iNotes agents” on page 83You can use agents to process or manipulate data on forms or sub forms in IBMiNotes.Related information:

Lotus iNotes customization

Enabling external calendars in iNotesTo enable users to add external calendars to their IBM iNotes calendars, use a mailpolicy setting Allow Calendar Subscriptions.

About this task

Users can add external calendars to their iNotes calendars, overlaying theinformation so that all calendars display in the iNotes calendar. You can enable thisfeature using the mail policy setting Allow Calendar Subscriptions on the IBMiNotes Configuration tab of the Mail policy settings document.


http://www-10.lotus.com/ldd/dominowiki.nsf/archive?openview&title=Lotus%20iNotes%20customization&type=cat&cat=Lotus%20iNotes%20customization

For the IBM Domino 8.5.1 release, users can add only Google calendars.

Procedure1. If you do not use policies or if you want to enable or disable this feature

temporarily on a trial basis, you can use the notes.ini file settingiNotes_WA_CalOverlay=1 to enable it server-wide, or iNotes_WA_CalOverlay=0 todisable it server-wide. Using this setting overrides any policy setting.

2. Set up an HTTP-proxy servlet using Security policy settings, and including oneor more entries for the external server(s) that host the calendar subscriptions onthe Proxies tab. For information on setting up an HTTP-proxy servlet, see thetopic in this Help “Using an HTTP-proxy Servlet to restrict URLs to externalservers”.

Related tasks:“Using an HTTP-proxy servlet to restrict URLs to external servers” on page 15For IBM iNotes features that send requests either to external servers for externalcalendar overlays or to Web services (IBM Quickr integration), you must configurean HTTP-proxy servlet to intercept calls and retrieve information from a remotesite.

Updating the forms file without a server restartYou can update the IBM iNotes forms.nsf file without having to restart the IBMDomino server.

Procedure1. Open the Domino server console.2. Enter the command:

tell http inotes flushforms

3. Replace or update the forms.nsf file in the lotus/domino/data/inotesdirectory.

4. When you are notified that a file will be overwritten, type y to confirm.

Results

The new or updated file is saved.Related concepts:“Administering iNotes” on page 5IBM iNotes (previously IBM Domino Web Access) provides IBM Notes users withbrowser-based access to Notes mail and to Notes calendar and scheduling features.

Using iNotes agentsYou can use agents to process or manipulate data on forms or sub forms in IBMiNotes.

About this task

There are two iNotes agents, QueryOpen and QuerySave, which are the equivalentof the Web agents WebQuerySave and WebQueryOpen. When determining whichforms to customize using iNotes agents, keep in mind how often the form is used.Design your agents to run only on the specific page you want to act on. An agentthat acts on a form or subform that runs constantly may impact performanceadversely.

Chapter 8. Customizing iNotes 83

Creating the agentsAbout this task

You can create IBM Domino Web Access agents in IBM Domino Designer byadding two NOTESVARS to the dictionary for the form you want to customize.The NOTESVARS specify the names of the QueryOpen and QuerySave agents. Theagents can be in the user's mail file, the main iNotes Forms file, FORMS85.NSF, orthe extension forms file. In Domino Designer, add these lines to the<NotesDictionary> block in the Custom_xxx_Dictionary subform whichcorresponds to the form or subform you want the agents to act on:<NOTESVAR NAME={$$QueryOpenAgent} VALUE={’(agentname)’}>

<NOTESVAR NAME={$$QuerySaveAgent} VALUE={’(agentname)’}>

ExampleAbout this task

To add QueryOpen and QuerySave agents to the Memo, Reply, and Reply withHistory forms, open the extension forms file and add $$QueryOpenAgent and$$QuerySaveAgent NOTESVARS to the Custom_MailMemoDictionary_Litesubform. Using the names testopen and testsave, for example, the edited subformwould look like this:

<NotesDictionary>

<NOTESVAR NAME={$$QueryOpenAgent} VALUE={’(testopen)’}>

<NOTESVAR NAME={$$QuerySaveAgent} VALUE={’(testsave)’}"

</NotesDictionary>

For information about creating and using Web agents, see the section onProgramming Domino for Web Applications in the Domino Designer help.http://www-10.lotus.com/ldd/ddwiki.nsf/xpViewCategories.xsp?lookupName=Product%20DocumentationRelated tasks:“Customizing the look of iNotes” on page 81You can customize the look and behavior of IBM iNotes by creating an extensionforms file that has several customization points built in for you. The default nameof the extension forms file is Forms85_x.nsf, but you can use a file name of yourchoice.


Chapter 9. Administering the Domino Social Edition OpenSocial component

IBM Domino Social Edition Open Social component adds social and web featuresto make third-party processes available directly in the client user's mail. DominoSocial Edition Open Social component supports IBM iNotes Widgets and LiveText,OpenSocial 2.0 Gadgets in the sidebar, pop-ups, tabs, and embedded experiences iniNotes.

The Open Social component is deployed and configured on two servercomponents: a Domino mail server, and another Domino server running Shindig,both with the Open Social component installed. In addition, the Domino mailserver supports iNotes and hosts the widgets catalog, and the Domino serverrunning Shindig hosts the credential store application.

Important: In order for the Open Social component features to work properly,make sure that your IBM Notes client(s) and Domino Administrator client(s) havethis setting enabled in their notes.ini files:

$EE_Enable=1

Configuring the widget catalog applicationThe widget catalog is a server-based application that contains all centrallymanaged widgets and their underlying XML extension definitions, includingcontent types and recognizers. The catalog is based on the IBM Dominoserver-supplied Widget Catalog template, toolbox.ntf, and its access is controlledby a combination of application ACLs and policies or Eclipse preferences in theplugin_customization.ini file, as well as widget catalog categories. Use thesupplied catalog template, toolbox.ntf, to create a widgets catalog on a server. Toconfigure the widget catalog application, configure ACLs and roles, enable agents,and (optional) set launch options for the widget catalog.

After you create the widget catalog, you have the option of creating an initial setof categories for the catalog. There are two types of predefined categories in thewidget catalog; both can be defined in the Administration/Keyword view.

Table 19. Predefined category types in widget catalogs

Category Type Description

Administrator categories Named ADMIN-Categories. Only administrators can putwidgets in these categories.

Categories Any widget author can add a widget to these categories.

You can use the desktop settings policy document or plugin_customization.inifile preferences to assign user access to the categories.

You (and experienced users with appropriate access) can configure new widgetsand publish them to the catalog for user access. Users obtain the latest widgetsfrom the catalog on a scheduled basis. Depending on how users are configuredthey can browse the catalog for new widgets and update the widgets in their localcatalog replica on demand.


The widgets catalog does not contain IBM-supplied widgets. However, it doescontain some advanced recognizers, and their content types, such as the following:v Person (name)v Place (address)v Organization

Note: These Live Text recognizers are available for American English-only andsome German names. You can create your own Live Text recognizers using Javaregular expressions.

Creating a widget catalogIn IBM Notes and IBM iNotes, a widget catalog application is required to workwith widgets.

About this task

Complete these steps to create the widget catalog application.

Procedure1. Open the IBM Domino Administrator client and connect to the server on

which you want to create the catalog.2. Click Files.3. Click File > Applications > New.4. Select the server (not Local).5. Enter an application Title -- for example, enter Widget Catalog.6. Enter a unique file name.

Note: You need this file name later, so make note of it.7. In the Specify Template for New Application section, select your server (not

Local).8. Select Show advanced templates.9. Select Widget Catalog (9).

10. Verify that the File name field contains toolbox.ntf.11. Click OK.

Configuring ACLs and roles in the widget catalogThe Access Control List for the widget catalog requires specific entries to supportOpenSocial widgets. You can use roles to restrict clients' ability to create widgets,tags, comments and ratings in the widget catalog.

About this task

Assign ACLs to control access rights to the catalog application for administratorsand client users. Client users can be assigned access to widgets through theirmembership in specific widget categories or you can set them up to browse andaccess the catalog directly. If client users are not allowed to create and configurewidgets, they need Reader access to the catalog; otherwise it is recommended thatend users are granted Author access to the catalog. For information about usingpolicies or preferences to designate user access to the widget catalog see the topic“Configuring the widget catalog application”.


Procedure1. Open the IBM Domino Administrator client and connect to the server where

you created the widget catalog application.2. Click Files.3. Select the new application file, right-click and select Access Control/Manage.4. Select your administrator user and enable all roles.

Important: Approving an OpenSocial widget requires at least one managerwith the [Admins] role in the ACL of both the widget catalog and thecredential store applications. However, if your organization has more than oneadministrator who approves widgets, a best practice is to create a group with aname of, for example, LocalDomainWidgetCatalogAdmins, and make sure thegroup has Manager access, plus the [Admins] role, in the ACL of eachapplication.

5. Enable the desired access and roles for all other users. Client users who createwidgets, add comments, rate widgets and add tags need an access level ofAuthor or higher with read and write access. Assign one or more of thefollowing roles:

Table 20. Roles and description

Role Description

[WidgetAccess] Allows user to create widget documents

[TagAuthor] Allows user to add tags to widget documents

[CommentAuthor] Allows user to add comments to widget documents

[RatingAuthor] Allows users to rate a widget

Related information:

Widgets catalog as an XPages application

Enabling agents in the widget catalogEnabling certain agents is required to enable configuration of OpenSocial widgetfunctionality.

Before you begin

Ensure that you have appropriate access to enable agents on the Server document,Security tab, Programmability Restrictions section. At minimum, enable the Signor run restricted LotusScript/Java agents option.

You need to have created a widget catalog. If you have not created a widgetcatalog, create one by selecting File > Application > New and create a newwidgets catalog from the toolbox.ntf template.

Procedure1. From the IBM Domino administrator client, with the IBM Notes client shut

down, open the Widget Catalog in the classic (non-XPages) view.2. Click View > Agents. If IBM Domino Designer is installed, Domino Designer

opens. If Domino Designer is not installed, the Design - Agents view in theDomino Administrator client opens. The Design - Agents view display a list ofcurrent agents. You can enable and disable agents from this view.

3. Select each agent listed in the table, and select Enable.

Chapter 9. Administering the Domino Social Edition Open Social component 87


Table 21. Agents

Agent Description

CalcDownloads Ensures that widget documents display the updatednumber of user downloads. By default, this agent runsevery 5 minutes.

CalcRatings Ensures that widget documents display the updatedaverage user rating. By default, this agent runs every 5minutes.

CalcTags Ensures that widget documents display the updated listof tags created by users. By default, this agent runsevery 5 minutes.

CreateStatisticRDoc Ensures each widget has a statistic response document,and deletes the corresponding statistic responsedocument if a widget is deleted. By default, this agentruns daily.

RmDupRatingR2R Ensures any duplicate rating response-to-responsedocument from the same user is removed. By default,this agent runs daily.

PushToCredStore Pushes widget proxy rules and capabilities to thecredential store. By default, this agent runs every hour,but runs immediately if you are approving a widget onthe master server.

ToolSweeper (Optional) Ensures that widget documents are properlycreated and populated. Enable this scheduled agent torun against new and modified documents. Each widgetdocument requires a title and an xml file attachment. If aproblem is found, the problem document is removedfrom the user views, placed in the Administration/Document Queue, and an e-mail is sent to the documentauthor detailing the problem.

Note: If you enable this agent, you are prompted for thename of the server on which to run the agent, choose theserver on which you have deployed the catalog.

4. Specify the server on which the widget catalog application is deployed; the agentsshould all run on the same server.

Note: In a clustered environment, select only a single master server to run thescheduled agents.

What to do next

After the agents are enabled, during the procedure for configuring the credentialstore, be sure to give yourself the [Admins] role in the ACL of the credential storeapplication, credstore.nsf.


Related tasks:“Creating a widget catalog” on page 86In IBM Notes and IBM iNotes, a widget catalog application is required to workwith widgets.“Creating the credential store application on the server running Shindig” on page93Creating the credential store application on the server running Shindig is part ofthe procedure to set up the IBM Domino server to run the Social Edition OpenSocial component and Shindig.“Configuring the credential store application for Domino Social Edition OpenSocial component” on page 94This procedure is part of the procedure to set up the IBM Domino server to runthe Social Edition Open Social component and Shindig.Related information:

Widgets catalog as an XPages application - Tech Note

Setting launch options for the widget catalogAfter you have finished configuring the widget catalog application, you can set itslaunch options to the XPages user interface. XPages is the preferred user interfacefor widgets in both IBM Domino and IBM iNotes clients, providing each with thesame experience when using the widget catalog.

About this task

There is no XPages user interface in the catalog application for approving andsigning widgets. However, after you change the launch options to those in theprocedure, you and other administrators can still see the classic user interface andhave the Review button available for approving and signing widgets. To do so,open the catalog in the Domino Administrator client without the IBM Notes clientrunning.

Procedure1. From the Domino Administrator client, select the new widget catalog database,

right-click and select Properties.2. Click the icon for launch options.3. In the When opened in the Notes client section, select Open designated

Frameset and select the Toolbox-MainFrameset-XPage frameset.4. In the When opened in a browser section, select home.xsp as the XPage.

Configuring widgets for specific Social Edition client releasesTo support IBM Notes or IBM iNotes client users, as the widget catalogadministrator on the IBM Domino 9.0 Social Edition server you can use thePlatform field in the widget catalog documents to control which widgets in acategory of widgets are deployed to client users of this and earlier releases ofLotus Notes and Lotus iNotes.

This feature is enabled by default on iNotes clients.

If a desktop settings policy is configured to push the installation of a widgetcatalog server, widget catalog application name, and widget categories to the usersof the policy, the Platform field on the widget catalog document determineswhether the widgets in the category are installed on the specific client and release.



Install OpenSocial widgets only on iNotes 9.0 Social Edition or later clients. Toinstall such widgets properly, set the Platform field to iNotes 9.0. Do not leave thefield empty.

Setting iNotes preferencesA new notes.ini file parameter in the notes.ini file on the IBM Domino 9.0 SocialEdition server running iNotes controls whether the filtering of widgets duringcategory installation is strict or not strict:

iNotes_WA_strictWidgetFilter

The default value is 1 which enables strict filtering. You can change the value to 0to disable strict filtering.

When the parameter is set to 1, during category installation of widgets, one ofthese actions occurs:v If the widget's Platform field list contains the indicator for the current iNotes

release, the widget is installed.v If the Platform field list is empty, which indicates all releases, the widget is

installed.v If the widget's Platform field list contains at least one release and the list does

not contain the indicator for the current iNotes release, then the widget is notinstalled and a warning message is logged.

When this preference is set to 1, during drag-and-drop installation of a widget, thisaction occurs:v If the widget's Platform field list contains at least one release and the list does

not contain the indicator for the current iNotes release, the widget is installed,and a warning message is logged.

When this preference is set to 0, during category installation of widgets, one ofthese actions occurs:v If the widget's Platform field list contains the indicator for the current iNotes

release or an indicator for any previous release of Lotus iNotes, the widget isinstalled.

v If the Platform field list is empty, which designates all releases, the widget isinstalled.

v If the widget's Platform field list contains at least one release and the list doesnot contain the indicator for the current iNotes release or an indicator for anyprevious release of Lotus iNotes, then the widget is not installed and a warningmessage is logged.

When this preference is set to 0, during drag and drop installation of a widget, thisaction occurs:v If the widget's Platform field list contains at least one platform and the list does

not contain the indicator for the current iNotes release, or an indicator for anyprevious release of Lotus iNotes the widget is installed, and a warning messageis logged.


Locked domainsDomain locking is a security feature that isolates and protects OpenSocial widgetsfrom third-party sources that might try to cause harm to other widgets, thebrowser, or your application. Locked domains are essential for products such asIBM Domino and IBM iNotes that allow users to add or render widgets fromthird-party sources.

Malicious content often tries to take advantage of a user's authenticated session toextract server data, modify other widgets on the page, or attack web services thathave been authenticated and authorized through Open Authorization (OAuth).Locked domains prevent these security risks by sandboxing widgets intoindividual subdomains that cannot be penetrated by third-party sources or otherwidgets on the page.

Locked domains prevent widgets from having direct access to secure informationin the browser and in other widgets on the page, including JavaScript and cookies.Even with a proxy, a piece of malicious or hacked JavaScript code that is loaded inthe browser without locked domains can gain access to all of a user's singlesign-on (SSO) cookies via the window.cookies object. Even though SSO cookiestime out after a set expiration time, the malicious code can obtain blanket access tothe enterprise for a given interval of time.

Therefore, in iNotes, it is strongly recommended that you configure lockeddomains and never disable them.

Locked domains and host domains

A locked domain implementation consists of three separate domains:v A single sign-on (SSO) domain.v An unlocked container domain for your host application, that is, iNotes. This

unlocked domain can be part of the SSO domain, but ideally the two domainsshould be separate so that cookies such as SSO tokens are not unintentionallycarried along with content requests.

v Locked hosts that are derived specifically for each widget. Widgets run inindividual subdomains of the locked host to prevent widgets from sharing dataamong themselves.

The unlocked domain handles initial calls such as proxy requests and has a specifichost name, for example unlocked.gadgets.renovations.com. The locked host nameused for widgets is derived by computing a hash of the widget URLs andpre-pending that hash to a locked domain name suffix such as-locked.gadgets.renovations.com. The locked domain suffix must be a separatetop-level domain (TLD) that is separate from the container (host application) andSSO domains.

To re-associate Open Authorization (OAuth) tokens with the locked gadget, thecontainer uses an encrypted string called the security token. Similar to SSO tokenssuch as Lightweight Third-Party Authentication (LTPA), the security token has arelatively short life span to ensure that access is not granted indefinitely if a widgetis hacked. SSO tokens do not flow directly to the widget, even if the security tokenis compromised, so the widget can only access resources that it is authorized toaccess via the proxy.


Common deployment scenarios

The main factor that determines your deployment scenario is how and from whereyour OpenSocial widgets receive data. If they receive data only from within theenterprise firewall (intranet), your configuration setup will differ from setups forwidgets that receive data from outside the company.

You may need to register your locked and unlocked domains externally with atrusted domain name registrar.

Configuring locked domainsThe steps required for configuring locked domains depend on your deployment.However, all deployments share some common prerequisites. Setting up hostdomains is a required prerequisite for locked domains, regardless of yourdeployment. Be sure to read the Locked Domains topic.

About this task

In IBM Domino you set up host and locked domains on the Social Edition tab ofthe server Configuration Settings document in the Domino Directory. Completethese steps to configure a host domain.

Procedure1. Open the Domino Administrator client.2. Click File > Open Server and open the Domino server running Shindig.3. Click Configuration and then click Server > Configurations.4. Click Add Configuration to create a new configuration.5. Click Social Edition, and then complete these steps:6. Click the Basics tab, complete the fields based on your deployment topology.

Locked and unlocked domains are used if your organization has IBM iNotesclients.

Table 22. Configuration settings for locked domains and for all servers running Shindig

Field Description

Locked domain suffix Enter a suffix to use when generating URLswith which to render locked gadgets. TheURLs isolate gadgets from each other withinthe container. Domino combines a generatedstring for each locked domain gadget withthe suffix you enter. For example, enter

-locked.gadgets.renovations.com and alocked gadget is assigned a URL such asxxxxx.locked.gadgets.renovations.com

Domain name for unlocked gadgets andcontent fetching

Enter the DNS name of the domain used forrendering unlocked gadgets and for fetchingcontent. For example, enter

unlocked.gadgets.renovations.com


Table 22. Configuration settings for locked domains and for all servers runningShindig (continued)

Field Description

Shindig server(s) host name If you are using a single Shindig server,enter the fully qualified internet host name as itappears in the server document, forexample, enter host1.renovations.com. Ifyou are clustering Shindig servers, enter thehost name of the load balancer or reverse proxynetwork device, for example, entershindig-hosts.renovations.com.Note: This host name should be the samehost name used to register callback URLs forany OAuth 1.0a or OAuth2 services.

7. Click Save and Close.Related concepts:“Locked domains” on page 91Domain locking is a security feature that isolates and protects OpenSocial widgetsfrom third-party sources that might try to cause harm to other widgets, thebrowser, or your application. Locked domains are essential for products such asIBM Domino and IBM iNotes that allow users to add or render widgets fromthird-party sources.

Adding a wildcard record to a DNS serverSetting up a wildcard Domain Name System (DNS) server for your locked widgetdomains is another required prerequisite, regardless of your deployment.

About this task

Configure your DNS server for wildcard hosting so that requests from your widgetsubdomains can be processed through a single web server.

Procedure

For details about setting up a wildcard DNS server, see these sites:v http://www.zytrax.com/books/dns/ch9/subdomain.htmlv http://www.debian-administration.org/articles/358

Setting up the Domino server to run the Domino Social Edition OpenSocial component and Shindig

The setup for running the IBM Domino Social Edition Open Social component andShindig includes creating the credential store application on the server runningShindig, configuring the credential store application, and creating a configurationsettings document for all servers running Shindig.

Creating the credential store application on the server runningShindig

Creating the credential store application on the server running Shindig is part ofthe procedure to set up the IBM Domino server to run the Social Edition OpenSocial component and Shindig.


Procedure1. Open the server console on the Domino server running Shindig.2. Enter this command:

keymgmt create nek nekname

where nekname is any name of your choosing, for example, social.3. Verify that the NEK is created successfully.4. Enter this command:

keymgmt create credstore nekname

where the nekname value is the same as the nekname value used in Step 2.

Results

Domino creates a credstore.nsf application in the data\IBM_CredStore directory.

Configuring the credential store application for Domino SocialEdition Open Social component

This procedure is part of the procedure to set up the IBM Domino server to runthe Social Edition Open Social component and Shindig.

Procedure1. Open the Domino Administrator client and connect to the server where the

credential store application resides.2. Click Files.3. Select the credential store application, right-click and select Access

Control/Manage.4. Give Manager access to widget catalog administrators, your server, and the

user who enabled the agents in the Widgets Catalog.5. Add the [Admins] role to any administrative users and to the server.6. Open the credential store application as a widget catalog administrator and

open the Configuration view.7. Click Create encryption key.8. Click Create new encryption key and then click OK.9. Open the widget catalog application as a widget catalog administrator, and

open the Administration > Configuration view.10. Click Configure Credential Store and enter the Server Name and NSF Name for

the credential store database. To search for the server and database path andname, click Browse and select the correct name and path. Click OK. Use thecomplete path for the server name, for example, MyServer/DomainIBM_Credstore/credstore.nsf.

Creating a configuration settings document for all servers thatrun Shindig

Every IBM Domino server running Shindig is required to have a configurationsettings document that contains the locked domain settings.

Before you beginv The Domino Directory on the servers running Shindig must be using the

Domino pubnames.ntf template you received with IBM iNotes 9.0 Social Edition.


Procedure1. Open the Domino Administrator client.2. Select File > Open Server and open the Domino server running Shindig.3. Click Configuration, and then click Server > Configurations.4. Click Add Configuration to create a new configuration settings document.5. On the Basics tab, in the Group or Server name field, enter the name of a

server that runs Shindig or the name of a group containing all serversthat run Shindig.

6. Click Social Edition.7. Click the Basics tab, complete the fields based on your deployment topology.

Locked and unlocked domains are used if your organization has IBM iNotesclients.

Table 23. Configuration settings for locked domains and for all servers running Shindig

Field Description

Locked domain suffix Enter a suffix to use when generating URLswith which to render locked gadgets. TheURLs isolate gadgets from each other withinthe container. Domino combines a generatedstring for each locked domain gadget withthe suffix you enter. For example, enter

-locked.gadgets.renovations.com and alocked gadget is assigned a URL such asxxxxx.locked.gadgets.renovations.com

Domain name for unlocked gadgets andcontent fetching

Enter the DNS name of the domain used forrendering unlocked gadgets and for fetchingcontent. For example, enter

unlocked.gadgets.renovations.com

Shindig server(s) host name If you are using a single Shindig server,enter the fully qualified internet host name as itappears in the server document, forexample, enter host1.renovations.com. Ifyou are clustering Shindig servers, enter thehost name of the load balancer or reverse proxynetwork device, for example, entershindig-hosts.renovations.com.Note: This host name should be the samehost name used to register callback URLs forany OAuth 1.0a or OAuth2 services.

8. (Optional) Set the cache files. These fields can remain blank to use thedefaults.

9. (Optional) On the Advanced tab, configure settings for bothshindig.properties and container.js files. These settings map directly tosettings used in the configuration files of the same name in Apache Shindig.

10. Click Save and Close.


Configuring Domino Social Edition Open Social component for iNotesclients

Configuring IBM Domino Social Edition Open Social component features in IBMiNotes includes configuring the server session authentication, configuringautomatic updates for widgets, and configuring policies.

Configuring server session authenticationDefine one session authentication option to support IBM Domino Social EditionOpen Social component features in IBM iNotes.

Procedure1. In the Domino Administrator client, open the Server document for the IBM

Domino server running Shindig.2. On the Internet Protocols > Domino Web Engine tab, in the Session

authentication field, select one of these options for session authentication:v Multiple Servers (SSO) - This option is recommended as the best choice if

you have both iNotes and IBM Notes clients.v Single Server - This option works if you have only iNotes clients, and you

have one server for both iNotes and Shindig.3. Specify settings for the option you select, and then save the Server document.

For details on these options, see Enabling single sign-on and basicauthentication in the Notes and Domino Information centerhttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_ENABLING_SINGLE_SIGN_ON_IN_THE_WEB_SITE_4778_STEPS.html&resultof=%22Enabling%22%20%22enabl%22%20%22single-%22%20%22singl%22.

Configuring automatic updates for widgetsAs with widgets in IBM Notes, you can use a policy to automatically push widgetsto IBM iNotes users.

Before you begin

Configure widget policies.

Procedure1. Enable these two required notes.ini file settings in the notes.ini file on the

mail servers to enable automatic updates for widgets.

Note: These notes.ini file settings are server wide settings as opposed topolicies. Policies are used per user on every server, but if there is a server thatneeds to disable EE or Live Text, use these notes.ini file settings to do so.


Table 24. Notes.ini file settings related to iNotes

Parameter

Acceptable

Values Description

iNotes_WA_Widgets_AutoUpdate_Group Name of aDomino group

Default Value =N/A

Sets a directory groupname that is usedduring iNotes Widgetsautomatic update; allmembers of the grouphave auto update runfor them.

iNotes_WA_Widgets_AutoUpdate_Min -OR-iNotes_WA_Widgets_AutoUpdate_Day

A number

Default Value =0

The interval for iNotesWidgets automaticupdate. Default is 0(never runs).

iNotes_WA_Widgets_

AutoUpdate_Day=1

is recommended.

2. Add the Domino OSGi Tasklet Server (DOTs) server task to the ServerTasksnotes.ini file on the IBM Domino server using the ServerTasks= notes.ini filesetting.For example, enterServerTasks=Update,Replica,Router,AMgr,AdminP,CalConn,Sched,

HTTP,LDAP,RnRMgr,DOTSThis starts DOTs automatically when the Domino serverstarts.

Creating policies for Domino Social Edition Open Socialcomponent

You can use an existing policy or create new policy and settings documents forSocial Edition Open Social component users. The policy for IBM iNotes canoverlap and share the same settings documents used by the IBM Notes SocialEdition Open Social component configuration. You need three policy settingsdocuments for the Social Edition Open Social component, they are a mail policysettings document, a desktop policy settings document and a security policysettings document. For more information about policies, see the Configuring iNotestopic. For more information about configuring Widgets with a policy, see Usingpolicies to control widgets and live text access.

Before you begin

This task requiresv An IBM Domino administrator client with $ENABLE_EE=1 set in the notes.ini file.v The Domino Directory for the domain refreshed from the Domino pubnames.ntf

template you received with iNotes 9.0 Social Edition.

Important: While no specific mail settings are required for iNotes Social EditionOpen Social component, a mail settings document must exist in any policy that isconfigured for Social Edition Open Social component to ensure that certain profilenotes are populated as part of mail processing for the administration process.


About this taskv The administration process (AdminP) runs every 12 hours to push these policies

to iNotes users. AdminP runs on each home mail server.v To force the push, from the Domino server console, enter the command tell

adminp process mail on the home mail server ofeach user.v You can also use the notes.ini file setting ADMINP_POLL_INTERVAL=time in

minutes to process mail policy at intervals other than the default 12 hours

Note: This notes.ini setting processes every mail file on your system and cantake a long time. Keep this in mind when setting the interval.

v See Domino Policy FAQ for more information.

Procedure1. In the desktop policy settings document, click Widgets.2. In the Widget catalog application name field, enter the widget catalog

application name.3. In the Widget catalog server field, enter the name of the server on which the

widget catalog application resides.4. In the Gadget Server URL field, enter the URL for the Domino server

running Shindig. Use the format http://server name:port/fiesta. Forexample, enter http://shindig.renovations.com:80/fiesta

5. Specify any of the other following settings for widgets, all supported foriNotes clients:v Widget catalog categories to installv Show the My Widgets panel in the sidebarv Enable Live Textv Enable default recognizersv Restrict provider IDs for installation/execution and Enable provider IDs for

installation/executionv Restrict extension point IDs for installation/execution and Enable extension

point IDs for installation/executionv Install widgets from catalogv Gadget Cache URL

6. Save the desktop settings document.7. In the security policy settings document, click Proxies.8. Click Edit list.9. Complete these fields:

v In the Context field, enter /xsp/proxy/BasicProxy/

v In the URL field, enter the URL to the server that runs Shindig. This valueshould match the URL provided in the Gadget Server URL field on theWidgets tab of the desktop policy settings document.

v In the Actions field, enter GET,POST

v In the Cookies field, enter DomAuthSessId,LtpaToken,LtpaToken2

v In the Mime-types field, enter * (an asterisk)v In the Headers field, enter * (an asterisk)

10. Click Add/Modify Value.11. Click OK.12. Save the security settings document.


Related concepts:Chapter 3, “Configuring iNotes,” on page 23Administrators specify mail policy and security policy settings as well asnotes.ini file settings to complete the full implementation of IBM iNotes.Related tasks:“Using policies to control widgets and live text access” on page 28Control widgets and live text access using the settings on the Widgets tab of thedesktop settings policy document.

Using notes.ini file settings to enable widgets, embeddedexperiences, live text and OpenSocial features

These notes.ini file settings are server wide settings, whereas policies are usedper user on every server. If you need to disable embedded experience or live texton a server, uses these notes.ini file settings.

Procedure

Add these notes.ini files settings to your server's notes.ini file as needed:

Table 25. Notes.ini settings that enable embedded experience, live text, widgets andOpenSocial features

Parameter Acceptable Values Description

iNotes_WA_EnableEE 0|1

Default Value = 0

Set to 1 to enable embeddedexperiences in iNotes.

iNotes_WA_LiveText 0|1

Default Value = 0

Set to 1 to enable live text iniNotes.

iNotes_WA_Widgets 0|1

Default Value = 0

Set to 1 to enable widgets iniNotes.

If iNotes_WA_Widgets is disabled,embedded experiences, live text,and OpenSocial are all disabled(regardless of other settings)because widgets is the core of allof those features.

iNotes_WA_OpenSocial 0|1

Default Value = 0

Set to 1 to enable OpenSocialWidgets in iNotes.

If iNotes_WA_OpenSocial isdisabled, embedded experiencesis disabled (regardless of theembedded experiences setting)because embedded experiencesuses OpenSocial widgets.

Widgets created from an OpenSocial gadgetA widget created from an OpenSocial gadget is referred to as an OpenSocialwidget. After a client user has added an OpenSocial widget or a Web widgetconfigured for embedded experience to the widget catalog, the IBM Dominoadministrator must follow an approval process to review, approve, and make thewidget available as an embedded experience to client users. Only OpenSocial


widgets and Web widgets that provide client users with embedded experiencesmust be approved and require some additional configuration.

During the approval process, you configure:v Proxy settings - required. Proxy settings are defined on the Configure Proxy

dialog box. the Gadget Proxy tab contains the settings for the endpoints anOpenSocial widget can use with Shindig's proxy. The Content Proxy tab containssettings for the data that may be fetched anonymously from OpenSocial widgets.The content proxy settings apply to resources that the gadget requests, such asCSS and JavaScript, as well as any resources retrieved using thegadgets.io.getProxyUrl() OpenSocial API.

v OAuth client consumer information (keys and secrets) - required only if a gadgetuses OAuth.

v IP filter(s) - optional

Proxy Settings

Proxy settings for each OpenSocial widget are specified in the Configuration Proxydialog box on both the Gadget Proxy and Content Proxy tabs.

You can specify as many proxies as you need for resources that are accessed by theOpenSocial widget you are approving. The proxy settings function as a whitelistthat specifies the appropriate security settings for all such resources, allowingclient users to seamlessly access everything needed for full functionality of thewidget.

Tip: If you do not know whether the OpenSocial widget you are approvingaccesses any resources that require proxies, check with the original provider ordeveloper of the gadget that was used to create the OpenSocial widget.

You can provide definitions on the Gadget Proxy tab for:v The widget location (automatically added).

– GET action only, default headers, no additional cookies.v The URLs requiring settings for the OAuth Token flows.

– If OAuth 1.0a is used, Request Token and Access Token URLs with action =GET and Authorization together with the default as headers.

– If OAuth 2.0 is used, Access Token URL with action = POST, and client_id,client_secret together with default as headers.

Note: If the URLs for OAuth 1.0a and OAuth 2.0 are present in the gadget.xml,they are added. You may need to add them if the gadget.xml files do notcontain the URLs.

v URLs accessed using OAuth-enabled requests– Actions as needed, authorization, together with default for headers, and other

headers and cookies as needed.v Other URLs accessed without OAuth

– Actions, headers, and cookies as needed

You provide definitions on the Content Proxy tab for resources that include staticcontent, such as javascript files, images, or HTML content.

Note: When you define proxy settings, define the narrowest scope that allows theOpenSocial widget to function to its fullest capability. While you can configure a


proxy setting with * as the destination URL, avoid this practice because it mayallow the server to be used for unauthorized activities.

You initiate the approval process for an OpenSocial gadget from a widgetdocument in the widget catalog. When the approval process is complete, you canreturn to the widget document, and select Edit Proxy Data to edit the proxy data,or select Edit OAuthData to edit OAuth data.

iNotes users can open widgets from the Domino server running Shindig. ThisDomino server uses proxy rules (settings) contained within the credential store.Proxy settings configured using the widget catalog application are pushed by thePushProxy agent to the credential store. OAuth-enabled widgets are alwaysrendered on a Domino server running Shindig; never from the gadget server onthe Notes client.

At runtime, the URL contained in the request made by a gadget is comparedagainst each of the URLs listed as proxies for the OpenSocial widget. When amatch is found, the specified actions, headers, cookies, and MIME type restrictionsare applied to the request.

IP Filters

The IP Filters consist of Allow and Deny Filters.

The Deny filters are applied to the address, then the Allow filters are applied. Thetypical pattern for Allow filters is to deny a wide range of addresses, and then toallow only a specific server. There is no benefit to defining Allow filters withoutdefining a Deny filter.

OAuth configuration

If an OpenSocial widget requests OAuth-enabled services, during the approvalprocess use the Configure OAuth Consumer Information dialog box to specifyvalues appropriate to the type of OAuth service the gadget is requesting. Thefields in the dialog box differ according to whether the widget is requesting OAuth1.0a or OAuth 2.0 authentication flows.

You can complete fields in this document with information received from theOAuth provider. If all of the OAuth information is not immediately available, savethe dialog box with the information you have. You can modify the informationlater by selecting the Edit OAuth Data action from the widget document.

The Consumer Key and Secret are stored as encrypted items in the Consumer Keydocument in the credential store. When editing the widget document, the originalvalues cannot be retrieved for display. If the widget document is saved withoutentering additional content in those fields, the original values are used. If newcontent is entered in those fields, the new content is encrypted and stored back inthe Consumer Key document.

Approving a widget created from an OpenSocial gadgetApproving an OpenSocial widget or Web widget configured for embeddedexperiences that has been added to the widget catalog consists of reviewing,approving and making the widget available as an embedded experience to clientusers. The widgets that provide client users with embedded experiences in IBMDomino must be and require some additional configuration.


Procedure1. From the Domino Administrator client, click Files.2. Select the widget catalog and click to open the catalog.3. Expand the Administration > All Widgets by Approval view.4. Look for widgets with an approval status of Needs Review.5. Open the widget document, click Review. A new Security section in the

widget document is populated. The widget's approval status changes toApproval Needed.

Note: If a widget does not have security data requiring approval, theApproval Needed does not apply to that widget.

6. If new security data is displayed, review the information.7. In the widget should be approved, click Approve. The Configure Proxy dialog

box opens.8. Complete the proxy settings on both the Gadget Proxy and Content Proxy

tabs.

Note: The URL field value is pre-filled from information in the extension.xmlfile in the widget document.

Table 26. Configure Proxy dialog box settings

Field Description

URL (required field) The URL pattern for the proxy. The URL can include thewildcard character *, but only in its last path component. Forexample, the URL may contain http://www.example.com/images/*. However, http://www.example.com/*/images is notvalid.

For example, this URL http://www.example.com/foobar/test/* is valid and matches http://www.example.com/foobar/test/test.jsp, or http://www.example.com/foobar/test/someOtherstuff. A proxy URL such as http://www.example.com/foobar/test* is not the same, and is notlikely to match any target URLs.

The URL may contain only the wildcard character.

At runtime, the URL contained in the request made by thegadget is compared against each of the different proxy URLsfor the gadget. When a match is found, the Actions, Headers,Cookies, and MIME type restrictions are applied to therequest.

Actions (required field) Select one or more of these actions: GET, POST, PUT, DELETE,HEAD. Any action entered here is permitted for any requestmatching the URL. By default, no actions are permitted.


Table 26. Configure Proxy dialog box settings (continued)

Field Description

Headers Defines the headers that can to be added to a request madefrom the gadget server. Headers are values sent by a requestto a server indicating how the request should be treated andhow the response should be returned. The HTTP specificationdefines a number of headers as a standard. The token value[default] can now be used instead of specifying the individualheaders.

Applications can add additional headers to the request. Agadget's request can include additional headers to be set.However, if those additional headers are not permitted by theproxy setting, then the headers are not allowed. If a requestdepends on additional headers, those headers must bedefined.

Use commas to separate individual entries in a list of headers.Follow the Internet specification for header names. Headernames may contain a wildcard character (*) to match parts ofnames. For example, if the header name is MyH*, then bothMyHeader and MyHome are permitted.

If nothing is specified, the default set of headers containingCache-Control, Pragma, User-Agent, Accept*, Content* is used.If an additional header is required, the header list mustcontain the desired default headers, as well as the requiredadditional header. For example, to add client_secret to the listof headers, the field would contain Cache-Control, Pragma,User-Agent, Accept*, Content*,client_secret. The token value[default] can be used here to represent the default headers, soadding client_secret can also be done by specifying [default],client_secret. If the wildcard * is specified, all headers arepermitted.

To prevent any headers from being sent, add a single headername to the field, and do not include any default headers. Forexample, specify No_Headers to prevent all headers frombeing sent. Note The Set-Cookie header is handled separatelyusing the Cookies field, and should not be specified in theHeaders field.

Cookies Cookies are informational elements that transfer data betweenclient and server. Gadget requests may contain cookie valuesthat they desire to set. The Cookies field defines the set ofcookies allowed to be passed through the server.

Use commas to separate multiple cookie names.

Specify the full cookie name.

No wildcard characters are permitted.

MIME Types Set limitations on the request/response style specified withthis field. Use commas to separate multiple values.

The wildcard character (*) is permitted in the MIME types.

An empty value, or a value of * permits all MIME types to beused.


9. (Optional) Under IP filter, specify values in the Allow list and Deny listfields as needed. Represent filter values as IPv4 addresses:v Fully qualified domain name, no wildcards.v IP address and subnet mask, 9.6.1.0/255.255.0.0, no wildcards are permitted.

Both sides of the subnet must be valid ip(v4) addresses.v IP address with wildcards for specific address components only, for

example, 9.6.*.*, but * by itself is not permitted.10. When you have specified all initial proxy settings, click Save in the Configure

Proxy dialog box. Click OK.

Note: You can modify those setting later, if needed.11. If the OpenSocial gadget uses OAuth, a version of the Configure OAuth

Consumer Information dialog box specific to the gadget's release of OAuthopens. Complete these fields:

Note: It is strongly recommended that you use secure https URLs in anyfields where you enter URLs.

Table 27. Fields in the Configure OAuth Consumer Information dialog box (1.0A)

Field Description

Application Id URL to the OpenSocial widget's XML file. Domino suppliesthis value.

Service Name Domino supplies this value.

OAuth Request TokenURI

Domino supplies this value if the value is available in the XMLfile. The value is specific to the OAuth service in use.

If the field does not contain a value, check with the originalprovider of the gadget that was used to create the OpenSocialwidget.

OAuth Access Token URI Domino supplies the value in this field if the value is availablein the XML file. The value is specific to the OAuth service inuse.


*Consumer Key** Part of the identification information used for authenticatingthe server with the resource provider. This value is obtained bymeans of a registration process with the resource provider.

To determine this value, check with the original provider ofthe gadget that was used to create the OpenSocial widget.

*Signature Method The signature style used when generating requests to a specificresource provider.


*Consumer Secret** Part of the identification information used for authenticatingthe server with the resource provider. This value is obtained bymeans of a registration process with the resource provider.



Table 28. Fields in the Configure OAuth Consumer Information dialog box (2.0)

Field Description

Application Id URL to the OpenSocial widget's XML file. Domino supplies thisvalue.


AllowModuleOverrides True (default) or False

Indicates whether or not URLs specified in the widget XMLcan be used. A value of true allows widget XML URLs to beused. A value of false will use only the URLs supplied fromthe database document.

OAuth AuthorizationURL






OAuth Access Token URI Domino supplies this value if the value is available in the XMLfile. The value is specific to the OAuth service in use.



To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.



Client Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.

Grant Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.

ClientAuthorization Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.


Table 28. Fields in the Configure OAuth Consumer Information dialog box (2.0) (continued)

Field Description

UseAuthorizationHeader True (default) or False

UseAuthorizationHeader is set to True by default. TheUseAuthorizationHeader setting indicates whether or not toinclude OAuth2 protocol content items as headers. At least oneof the fields UseAuthorizationHeader or UseUrlParametershould be set to true. Including the OAuth2 protocol contentitems as headers only is more secure than using urlparameters, especially when using HTTPS.


UseUrlParameter False (default) or True

Indicates whether or not to include OAuth2 protocol contentitems as URL parameters. At least one of the fieldsUseAuthorizationHeader or UseUrlParameter should be set totrue.Note: Including the OAuth2 protocol content items as headersonly is more secure than using url parameters, especially whenusing HTTPS.


SharedTokens False (default) or True

Indicates whether or not an access token from a resourceprovider that matches the service name and consumer key canbe used for multiple gadgets.


12. When you have specified the necessary OAuth settings, click OK in theConfigure OAuth Consumer Information dialog box.

Note: If necessary, you can modify those settings.13. The widget document is automatically signed and saved. The approval status

in the widget document becomes Approved.Related tasks:“Modifying OAuth data after widget approval” on page 110During the approval process, the approver is prompted to approve the OAuthclient consumer information if a gadget includes it. You can modify the OAuthconsumer data as needed.

Editing an approved widgetAny changes made to the widget document, for example, changing platform,description, or title, result in the document's no longer being approved. When youmake changes to the widget document, you need to reapprove the document. Inaddition, edited proxy settings are not applied for IBM Notes client users until thewidget catalog application replicates.


Editing proxy settings for an approved widgetEdit an approved widget by opening the widget catalog, selecting the widget, andusing the edit functions.

About this task

If changes are required to the proxy settings, open the widget document, thenselect Edit Proxy Data to review and update the proxy settings. These procedureswork regardless of whether the proxy settings are listed on the Gadget Proxy orContent Proxy tab.

Procedure1. From the IBM Domino Administrator client, click Files, select the widget

catalog and click to open the widget catalog.2. Select the widget you are editing, and open the widget document.3. Click Edit Proxy Data.

The Configure Proxy dialog box displays the OpenSocial widget with whichproxy settings are associated. The page displays a list of the defined proxies forthe widget.

4. From the list of proxies, select the proxy whose settings you are editing. ClickEdit.

5. Edit these settings as necessary.

Table 29. Configure Proxy dialog box settings

Field Description

URL (required field) The URL pattern for the proxy. The URL can include thewildcard character *, but only in its last path component. Forexample, the URL may contain http://www.example.com/images/*. However, http://www.example.com/*/images is notvalid.

For example, this URL http://www.example.com/foobar/test/* is valid and matches http://www.example.com/foobar/test/test.jsp, or http://www.example.com/foobar/test/someOtherstuff. A proxy URL such as http://www.example.com/foobar/test* is not the same, and is notlikely to match any target URLs.

The URL may contain only the wildcard character.

At runtime, the URL contained in the request made by thegadget is compared against each of the different proxy URLsfor the gadget. When a match is found, the Actions, Headers,Cookies, and MIME type restrictions are applied to therequest.

Actions (required field) Select one or more of these actions: GET, POST, PUT, DELETE,HEAD. Any action entered here is permitted for any requestmatching the URL. By default, no actions are permitted.


Table 29. Configure Proxy dialog box settings (continued)

Field Description

Headers Defines the headers that can to be added to a request madefrom the gadget server. Headers are values sent by a requestto a server indicating how the request should be treated andhow the response should be returned. The HTTP specificationdefines a number of headers as a standard. The token value[default] can now be used instead of specifying the individualheaders.

Applications can add additional headers to the request. Agadget's request can include additional headers to be set.However, if those additional headers are not permitted by theproxy setting, then the headers are not allowed. If a requestdepends on additional headers, those headers must bedefined.

Use commas to separate individual entries in a list of headers.Follow the Internet specification for header names. Headernames may contain a wildcard character (*) to match parts ofnames. For example, if the header name is MyH*, then bothMyHeader and MyHome are permitted.

If nothing is specified, the default set of headers containingCache-Control, Pragma, User-Agent, Accept*, Content* is used.If an additional header is required, the header list mustcontain the desired default headers, as well as the requiredadditional header. For example, to add client_secret to the listof headers, the field would contain Cache-Control, Pragma,User-Agent, Accept*, Content*,client_secret. The token value[default] can be used here to represent the default headers, soadding client_secret can also be done by specifying [default],client_secret. If the wildcard * is specified, all headers arepermitted.

To prevent any headers from being sent, add a single headername to the field, and do not include any default headers. Forexample, specify No_Headers to prevent all headers frombeing sent. Note The Set-Cookie header is handled separatelyusing the Cookies field, and should not be specified in theHeaders field.

Cookies Cookies are informational elements that transfer data betweenclient and server. Gadget requests may contain cookie valuesthat they desire to set. The Cookies field defines the set ofcookies allowed to be passed through the server.

Use commas to separate multiple cookie names.

Specify the full cookie name.

No wildcard characters are permitted.

MIME Types Set limitations on the request/response style specified withthis field. Use commas to separate multiple values.

The wildcard character (*) is permitted in the MIME types.

An empty value, or a value of * permits all MIME types to beused.


6. (Optional) Under IP filter, specify values in the Allow list and Deny list fieldsas needed. Represent filter values as IPv4 addresses:v Fully qualified domain name, no wildcards.v IP address and subnet mask, 9.6.1.0/255.255.0.0, no wildcards are permitted.

Both sides of the subnet must be valid ip(v4) addresses.v IP address with wildcards for specific address components only, for example,

9.6.*.*, but * by itself is not permitted.7. Click Save. Click OK.

Adding proxy settings to an approved widgetYou can add proxy settings to an approved widget by using the edit function.


catalog and click to open the widget catalog.2. Select the widget you are adding settings to and open the widget document.3. Click Edit Proxy Data.


4. Complete these steps as necessary: “Editing proxy settings for an approvedwidget” on page 107

5. (Optional) Under IP filter, specify values in the Allow list and Deny list fieldsas needed. Represent filter values as IPv4 addresses:v Fully qualified domain name, no wildcards.v IP address and subnet mask, 9.6.1.0/255.255.0.0, no wildcards are permitted.

Both sides of the subnet must be valid ip(v4) addresses.v IP address with wildcards for specific address components only, for example,

9.6.*.*, but * by itself is not permitted.6. Click Save. Click OK.

Removing a proxy rule and its settings from an approvedwidget

You can remove a proxy rule and its settings from an approved widget.


catalog and click to open the widget catalog.2. Select the widget you are working with, and click to open the widget

document.3. Click Edit Proxy Data.

The Configure Proxy dialog box displays the OpenSocial widget with which theproxy rules are associated. The page displays a list of the defined proxy rulesfor the widget.

4. From the list, select the proxy rule whose settings you want to remove.5. Click Remove. Click OK.

The proxy rule and its settings are removed from the widget.


Removing all proxie settings from a widgetYou can remove all proxie settings from an approved widget.


catalog and click to open the widget catalog.2. Select the widget you are working with, and click to open the widget

document.3. Click Edit Proxy Data.


4. Select each of the listed proxies, and then click Remove all. Click OK.

Removing approval for a widgetIf a widget document is approved and later is not needed, you can remove theapproval from the widget.

About this task

For changes to apply to IBM Domino and IBM iNotes, the changes must beavailable in the credential store. Use the PushToCredStore agent to make changesavailable to the credential store. When present in the credential store, the code thenneeds to detect the changes in the database before it refreshes its cached data. Bydefault, Domino checks for changes to the database every 60 minutes. You can usea notes.ini file settings to change the interval. It can take a maximum of 60minutes before the agent is run and the gadget is disabled.

You can manually run the PushToCredStore agent in less than a 60 minute interval,and then once that agent has completed running, either use the command linecommands to refresh social edition cached information, or restart the http server.

To apply changes to the IBM Notes client, the client must replicate the widgetcatalog database. As the replication events trigger listeners to run, the changesbecome effective once replication is complete.


catalog and click to open the widget catalog.2. Select the widget you want to work with, and click to open the widget

document.3. Click Edit.4. Expand the Security Section.5. Click Remove. The security state reverts to Approval Needed.

Modifying OAuth data after widget approvalDuring the approval process, the approver is prompted to approve the OAuthclient consumer information if a gadget includes it. You can modify the OAuthconsumer data as needed.



catalog and click to open the widget catalog.2. Select the widget you are working with and click Edit OAuth Data. The Edit

OAuth Data button displays only if there is OAuth data in the widget.If the OpenSocial gadget uses OAuth, a version of the Configure OAuthConsumer Information dialog box specific to the gadget's release of OAuthopens.

3. Edit these settings an needed.

Table 30. Fields in the Configure OAuth Consumer Information dialog box (1.0A)

Field Description

Application Id URL to the OpenSocial widget's XML file. Domino suppliesthis value.





OAuth Access Token URI Domino supplies the value in this field if the value is availablein the XML file. The value is specific to the OAuth service inuse.




*Signature Method The signature style used when generating requests to a specificresource provider.




Table 31. Fields in the Configure OAuth Consumer Information dialog box (2.0)

Field Description

Application Id URL to the OpenSocial widget's XML file. Domino supplies thisvalue.




Field Description

AllowModuleOverrides True (default) or False

Indicates whether or not URLs specified in the widget XMLcan be used. A value of true allows widget XML URLs to beused. A value of false will use only the URLs supplied fromthe database document.

OAuth AuthorizationURL






OAuth Access Token URI Domino supplies this value if the value is available in the XMLfile. The value is specific to the OAuth service in use.






Client Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.

Grant Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.

ClientAuthorization Type To determine this value, check with the original provider of thegadget that was used to create the OpenSocial widget.

UseAuthorizationHeader True (default) or False

UseAuthorizationHeader is set to True by default. TheUseAuthorizationHeader setting indicates whether or not toinclude OAuth2 protocol content items as headers. At least oneof the fields UseAuthorizationHeader or UseUrlParametershould be set to true. Including the OAuth2 protocol contentitems as headers only is more secure than using urlparameters, especially when using HTTPS.




Field Description

UseUrlParameter False (default) or True

Indicates whether or not to include OAuth2 protocol contentitems as URL parameters. At least one of the fieldsUseAuthorizationHeader or UseUrlParameter should be set totrue.Note: Including the OAuth2 protocol content items as headersonly is more secure than using url parameters, especially whenusing HTTPS.


SharedTokens False (default) or True

Indicates whether or not an access token from a resourceprovider that matches the service name and consumer key canbe used for multiple gadgets.


4. Click OK.



Chapter 10. Configuring secure Web federated login foriNotes using SAML

Supporting federated login on the iNotes clientFederated-identity authentication using the Security Assertion Markup Language(SAML) standard relieves IBM iNotes client users of the need to enter an IBMNotes password through the use of Web federated login. Users' IDs must be storedin an ID vault whose IBM Domino server is configured with host names foridentity provider (IdP) partnerships.

Before you begin

This procedure assumes that your organization uses more than one computer forthe Domino server running iNotes and the Domino ID vault server. The IdPCatalog application must reside on the vault server.

Note: The SAML IdP needs to know where to send the user's SAML assertion.When configuring the IdP in a document in the IDP Catalog, you will specify avalid URL to the Domino server that runs iNotes. The vault server is not contactedby the IdP directly. Instead, the SAML assertion is sent first to the Domino serverthat runs iNotes, and that server in turn sends the assertion to the ID vault server.

Uusing a single computer for the Domino Web server running iNotes and the IDvault server

The Domino ID vault server participating in Web federated login typically does nothave the Domino Web server configured, but your organization may use a singlecomputer to run both servers.

When the ID vault server is separate, it does not need to observe SSL. But if thereis a requirement to use SSL for the Domino Web server (for example, yourfederation is ADFS 2.0), and they are on the same computer, SSL must be enabled.

About using replicas of the ID vault server

[TBD when the CD6 work to support this will be complete.]

If the ID vault has multiple replicas, the ID vault administrator can decide to useone IdP partnership for all replicas of the ID vault. The ID vault administrator setsup the idpcat.nsf database on the ID vault server to be replicated to all of theDomino servers which have ID vault replicas. If SAML 2.0 is used and theconfiguration has required a certificate for the ID vault, the ID vault administratoruses the Domino Administrator client and opens the User Security dialog box forthe ID vault server ID file containing the certificate. The administrator exports thecertificate and corresponding private key to a PKCS12 file. The administratorbrings the exported file to the Domino servers that have ID vault replicas, opensthe User Security dialog box for each server ID and imports the certificate andprivate key. Given the sensitive nature of a private key, the administrator shoulddelete any copies of the PKCS12 file from the file system after the import is done.


About this task

Web federated login requires four components:v A Web browser client for all iNotes usersv Domino Web server running iNotes and functioning as the home (mail) server

for iNotes client usersv Domino ID vault serverv SAML Identity Provider (IdP)

Perform these tasks:Related tasks:“Deploying the ID vault and security policy for Web federated login”If the IBM Domino ID vault and a security policy do not already exist, the vaultadministrator creates the vault to support federated login for IBM iNotes clientusers, as well as a security policy to apply to such users.“Setting up the SAML identity provider and federation” on page 124Decide whether your organization will use Microsoft ADFS or IBM TivoliFederated Identity Manager (TFIM) as the identity provider for IBM Domino andIBM Notes, and then follow all instructions to set up your TFIM federation orADFS Relying Party Trust to support SAML authentication for Notes federatedlogin. The tasks you must accomplish include creating the SAML federation andexporting the IdP information to a metadata file.“Enabling the Domino Web server that runs iNotes to provide SAMLauthentication” on page 117You enable Security Assertion Markup language (SAML) authentication on IBMDomino using the IdP Catalog application. If the Domino server ispassword-protected, there may be additional tasks.“Configuring the ID vault for Web federated login” on page 122The IBM Domino ID vault administrator sets up the vault to specify the name ofthe IdP Catalog document for the SAML identity provider (IdP).“Using a security settings policy to apply a Web federated login configuration toclient users” on page 123After SAML-based federated login is configured on your IBM Domino server andidentify provider (IdP), you can assign its use to IBM iNotes client users throughthe security policy.Related information:


Deploying the ID vault and security policy for Web federatedlogin

If the IBM Domino ID vault and a security policy do not already exist, the vaultadministrator creates the vault to support federated login for IBM iNotes clientusers, as well as a security policy to apply to such users.

Before you beginv You must have at least Editor access to the Domino Directory, and access to, if

one exists, the ID file and password for the Domino ID vault server.v iNotes users who are meant to participate in Web federated login must have

their id files stored in the ID vault.



v Any user affected by the policy must have an Internet e-mail address that isknown to iNotes either by being specified in a Person document in the DominoDirectory, or retrievable to the directory by use of Domino directory assistance.

About this task

A user's SAML assertion contains an e-mail address for the user. Domino must beable to map each user's e-mail address to the user's Notes distinguished name.This required mapping is why all users affected by the policy must have anInternet e-mail address specified in their Person documents in the DominoDirectory, so that the IdP can use that e-mail address in its SAML assertion.

Note: For more information about SAML, see the topic Creating and configuringan ID vault, and other related topics in the Notes and Domino wiki.

Procedure1. Create the ID vault by running the ID vault creation wizard; for instructions,

see the related topics.2. As part of deploying the ID vault, create the security policy. On the Domino

server running iNotes, the policy exists in the Domino Directory (names.nsf).The policy should also exist in the Domino Directory on the Notes ID vaultserver.

3. Ensure that the policy allows iNotes to use the ID vault.4. Apply the security policy to user organizations (or to specific users) who will

have their id files stored in this ID vault.

What to do next

Take these confirmation steps:v To see whether an iNotes user’s ID file has been uploaded to the vault, a vault

administrator can open the ID vault application and check for the user's name inthe Vault Users view.

v If your organization’s iNotes users are managed in Domino Directory Persondocuments, check a test user's Person document, Internet address field, for theuser's e-mail address. If the iNotes users are managed in a directory configuredwith Domino directory assistance, check the LDAP attribute (for example, theMail attribute) for the user's e-mail address.



Enabling the Domino Web server that runs iNotes to provideSAML authentication

You enable Security Assertion Markup language (SAML) authentication on IBMDomino using the IdP Catalog application. If the Domino server ispassword-protected, there may be additional tasks.

Before you beginv The identity provider (IdP) you intend to use with the Domino Web server must

be configured before you enable SAML on the Domino Web server running IBMiNotes. See the related topics.

v You must have access to the vault ID file and password, and have Editor accessto the Domino Directory.

Chapter 10. Configuring secure Web federated login for iNotes using SAML 117


v Obtain a copy of the metadata.xml file that was exported from the identityprovider (IdP), and have its contents ready for import when you create the IdPConfiguration document. You can store it in any location accessible to yourDomino Administrator client.

v If the IdP Catalog (idpcat.nsf) application already exists, you must have accessto create documents in it.

v It is recommended that you use SSL security for your SAML configuration; ifyour federation is Microsoft Windows Active Directory (ADFS), SSL is required.

v Log in as a test iNotes user to confirm that SAML authentication is enabled. Todo so, open a browser and enter the URL for the Domino Web server runningiNotes, for example: https://domino1.us.renovations.com.Depending on the IdP configuration, the test user may first be redirected to theIdP's login page before iNotes mail is displayed in the browser. If SAMLauthentication is properly configured at the Domino server, you will see the testuser's mail displayed in the browser. iNotes may prompt for a password to theNotes ID file before allowing access to encrypted mail.After you have verified that an iNotes user can be authenticated by SAML tostart iNotes, then complete the procedure, after which the test iNotes usershould no longer see a password prompt for access to encrypted mail.

About this task

The IdP Catalog application must exist on the Domino server that hosts the IDvault whether or not that is the same computer that runs iNotes. If they are onseparate computers, you will create two IdP Config documents in the catalog, andreplicate the IdP Catalog application to both servers. The documents are essentiallyidentical except for the value in the Host names or addresses mapped to this sitefield. See the “What to do next” section.

The IdP Configuration document includes several fields whose values are suppliedautomatically when you import the metadata.xml file from the IdP.

Important: If the Domino server has a server.id file protected by a password, theadministrator cannot use the Create Certificate button to create a metadata file.Instead, see the task in this sequence on creating the Domino metadata file if theserver.id file is password-protected.

Important: If you later modify an existing SAML IdP Configuration document oradd a new one, restart the HTTP process on the Domino Web server so that thechanges are recognized.

Note: Enabling SAML authentication may have unexpected results with RSS feedsif your organization uses them.

Procedure1. From the Domino Administrator client, create the IdP Catalog application

(idpcat.nsf), using the template with the file name idpcat.ntf, or open theapplication if it already exists.CAUTION:If your server is running on UNIX, make sure the file name is alllower-case.

2. Assign access in the ACL only to any Domino SAML administrator(s) and tothe server.


Note: If the ipdcat.nsf is replicated across other participating SAML servers,their entries will be added to the ACL.

3. Click Add IdP Config to create a new configuration document.

Note: If you have additional Internet Site documents in your organization,and you want SAML authentication used at these additional Web sites, createseparate associated IdP Configuration documents for each participatingInternet Site. For details, see the related topic on configuring SAML from theInternet Site document.

4. On the Basics tab, in the Host names or addresses mapped to this site field,enter a virtual name for the ID vault. It is recommended that you use a virtualDNS hostname with a differentiating string such as "vault", so that it will notbe confused with a similar hostname on the network. The resulting hostnamedoes not need to be defined in DNS.

Restriction: If your Domino Web server is using SSL, you must include an IPaddress after the virtual host name, separated by a semicolon.

Important: The virtual host name you enter here should match what isentered in either the Host name(s) field on the Internet Protocols/HTTP tab inthe Server document (if the ID vault is on the Domino server that runs iNotes,or the Host names or addresses mapped to this site field of thecorresponding Internet Site document to the ID vault server. In this way youcan specify that the ID vault server should share the common identityprovider partnership already established for the Domino server runningiNotes.For example, enter vault.us.renovations.com;n.nn.nnn.n.

5. In the IdP name field, enter a name to identify the Web site of the identityprovider; the name does not have to be exact, and is only for youradministrative convenience. For example, if the Renovations organization hasa support site hosted by a third party who will serve as an identity provider,using the IBM Tivoli Federated Identity Manager, the administrator mightenter Renovations Customer Support (TFIM).

6. In the Protocol version field, select the SAML version already configured forthe partnership.

Important: SAML 2.0 is required if your federation is configured on MicrosoftWindows ADFS.

7. Leave State for this Configuration document as Enabled (the default).8. In the Federation product field, select either TFIM for IBM Tivoli Federated

Identity Manager or ADFS for Microsoft Windows Active DirectoryFederation Services, depending on which federation service you intend to usefor SAML authentication. The default is ADFS.

9. In the Service provider ID field, enter the string that identifies Domino as aservice provider partner with the IdP. This string should be the same as theHTTP URL for the Domino ID vault server, for example, https://vault.us.renovations.com.

Note: If SSL is not configured at Domino and you are using TFIM for the IdP,this setting would include http instead of https, for example:http://domino1.us.renovations.com. If you use ADFS for the IdP, SSL isrequired, so you would use https in the string.


Important: An entry is required in this field to use the Create Certificatebutton on the Certificate Management tab.

10. Click Import XML file, and specify the metadata.xml file exported from theIdP. It is recommended that you leave intact the information supplied fromthe imported XML file.

Note: If the federation is configured on ADFS, this file may have a slightlydifferent name, for example, FederationMetadata.xml.

Table 32. Fields in the IdP Configuration document whose values are generated from themetadata.xml file

Field Description

Artifact resolution service URL Domino generates the artifact URL for thefederation service you specified in theProduct field.

For example, for the Renovationsorganization, using TFIM, SAML 2.0, andSSL, the following artifact URL might begenerated: https://tfim.renovations.com/FIM/sps/samlTAM20/soap.

Single sign-on service URL If the data is available in the imported XMLfile, Domino generates the login URL for thefederation service you specified in theProduct field.

For example, for the Renovationsorganization, using TFIM, SAML 2.0, andSSL, the following login URL might begenerated: https://tfim.renovations.com/FIM/sps/samlTAM20/logininitial.Note: The value in this field is a subset ofthe expected URL to the IdP. The Dominoserver generates the full URL whennecessary.

Signing X.509 certificate Domino imports the certificate code fromfile.

Encryption X.509 certificate Domino imports the certificate code fromfile.Note: This field appears only when theType field is set to SAML 2.0.

Protocol support enumeration Domino generates a string designating theprotocol(s) for the SAML release specified inthe Type field that are also supported by thespecified IdP. This string will become part ofauthentication URLs provided by Domino asthe service provider to the IdP specified inthis configuration document.

For example,url.oasis.names.tc:SAML:2.0:protocol.

11. If you are using SAML 2.0 and need to export a certificate from Domino touse at the IdP, on the Certificate Management tab, perform all of thefollowing substeps:a. Enter a Company name field to identify the certificate in the Domino

metadata file (idp.xml) to be exported. Use any string convenient to your


administrators. This string should identify the Domino ID vault server, forexample, Domino RenovationsID Vault.

Tip: The name does not have to match anything in the actual IdPconfiguration. However, the string does have to be compatible with thesyntax of the idp.xml file; that is, it cannot include characters such as anglebrackets (< or >).

b. Click Create Certificate. If prompted, save the document, return to the tab,and click the button a second time.When creating the certificate, Domino pre-pends "CN=" to the string in theCompany name field and uses this name as the certificate subject. Thename may be visible in the IdP configuration after the metadata file isimported.

c. In the Domino URL field, enter a string to identify the fully qualified DNSname in a URL of the Domino server. For example, enter:https://your_iNotes_ SAML_service_provider_hostname

The string in this field is used by the IdP as the initial part of the URL forsending the user's SAML assertion back to Domino.

Note: If SSL is not configured at Domino and you are using TFIM for theIdP, this setting would include http instead of https, for example:http://domino1.us.renovations.com.

Note: You can use the string you entered in the Service Provider ID fieldon the Basics tab.

d. In the Single logout URL field, enter a URL if the IdP requires one, forexample if your federation is Tivoli Federated Identity Manager (TFIM 2.0).The TFIM IdP with SAML 2.0 configuration requires a single logout URLto be specified at the IdP and in the Domino metadata file, even thoughDomino does not currently implement a SAML 2.0 single logout feature.An example of a logout URL is:https://your_tfim_server.com/sps/samlTAM20/saml20

12. At the top of the form, click the Export URL button to save the createdidp.xml file as an attachment to the document.

Note: This button is visible only when a previously created idp.xml file is notalready attached.

13. Save and close the IdP Configuration document.

What to do next

Unless your Domino server running iNotes and your ID vault server are on onemachine, go on to create a second IdP Config document following the previousprocedure. The document should be identical except that the value in theHostnames or addresses mapped to this site field, instead of a virtual DNS name forthe vault server, must match the value in the Server document for the Dominoserver running iNotes, in the Host name(s) field on the Internet Protocols/HTTPtab. For example, the Renovations company may have an entry ofdomino.renovations.com.

If you use Internet Site documents, follow the steps in the related topics on them,to enable SAML and to specify the preferred session cookie.


Note: If you later change the authentication type in the Internet Site document toremove SAML, your change has no effect to disable SAML unless this IdPConfiguration document is either disabled or deleted.

For additional information, see the topics "Setting up a TAM TFIM server toprovide SAML authentication," "Using Domino as a SAML-based security providerwith SSL," "Configuring SAML in the Internet Site document" and "Setting upActive Directory federated services" in the Notes and Domino wiki.Related information:


IBM technote #1614543: Supplementary information on Security AssertionMarkup Language (SAML) configuration combinations of IBM Domino and otherproducts

Configuring the ID vault for Web federated loginThe IBM Domino ID vault administrator sets up the vault to specify the name ofthe IdP Catalog document for the SAML identity provider (IdP).

About this task

The ID vault administrator must approve the use of an IdP that will provideSAML credentials. The ID vault administrator decides which IdP is trustworthy.Only credentials from a trusted IdP can be used for downloading an id file storedin this ID vault. The administrator supplies host names for identity provider (IdP)partnerships to the ID vault in a vault document. The vault server uses the hostnames to look up IdP information from the IdP Catalog application (idpcat.nsf).

Tip: The Domino Web (HTTP) server is not using the Notes ID vault to retrieve IDfiles. Therefore, the vault configuration does not apply to the Domino Web server,and no changes need to be made to the vault document for the Domino Webserver.

Procedure1. From the Domino Administrator, open the ID vault application (idvault.nsf),

which by default is stored in the IBM_ID_VAULT directory.2. From the Configuration view, open the vault document for the vault that will

be configured for SAML authentication.3. In the Web federated login approved IdP configurations field, specify a host

name. Enter a value from the Host names or addresses mapped to this sitefield of the IdP Configuration document that corresponds to a trusted IdPwhich is approved to log in the IBM iNotes users in this vault. For example, ifthe Renovations organization has created an IdP Configuration document in theIdP Catalog for domino1.us.renovations.com, which is in partnership with atrusted IdP, then the Web federated login approved IdP configurations field inthe vault document would contain vault.us.renovations.com.

4. Save and close the vault document.



http://g01zciwas018.ahe.pok.ibm.com/support/dcf/preview.wss?host=g01zcidbs003.ahe.pok.ibm.com&db=support/swg/lottech.nsf&unid=CF4EEEB4A755DA3485257A9A0062F2DA&taxOC=SSCPNG9&MD=2012/10/17%2014:10:54&sid=



Related tasks:“Using a security settings policy to apply a Web federated login configuration toclient users”After SAML-based federated login is configured on your IBM Domino server andidentify provider (IdP), you can assign its use to IBM iNotes client users throughthe security policy.

Using a security settings policy to apply a Web federatedlogin configuration to client users

After SAML-based federated login is configured on your IBM Domino server andidentify provider (IdP), you can assign its use to IBM iNotes client users throughthe security policy.

Before you begin

For this task, you will use the security policy already deployed earlier in aprevious task of this sequence for iNotes users of your ID vault.

Before you can apply the policy to support federated login, you also need toexport a copy of the Internet SSL certificate from your federation (ADFS or TFIM2.0), import that certifier into your Domino Directory, and cross-certify. For theprocedure, see the related topic on creating an Internet cross-certificate.

For additional information about creating cross-certificates, see the topic “Creatingan Internet cross-certificate in the Domino Directory” on the Notes and Dominowiki.

Procedure1. In the Domino Directory, open the existing Security Settings policy for users of

your organization’s ID vault.2. On the ID Vault tab, make sure there is an assigned vault.3. Select the Password Management > Federated Login tab.4. Select Yes for Enable Web federated login with SAML IdP.5. Select Set value whenever modified for How to apply this setting.6. Select No for Allow User Changes.7. Optional: Create custom messages for users to notify them when federated

login is either enabled or disabled.8. Save and close the security policy.

Results

For any iNotes user to whom the policy applies, the settings for Notes federatedlogin will be activated on the user's next login.

What to do next

Log in as a test iNotes user to confirm that Web federated login is enabled. To doso, open a browser and enter the URL for the Domino Web server running iNotes,for example: https://domino1.us.renovations.com.

Depending on the IdP configuration, the test user may first be redirected to theIdP's login page before iNotes mail is displayed in the browser. If SAMLauthentication is properly configured at the Domino server, you will see the test


user's mail displayed in the browser. If Web federated login is also properlyconfigured, the test iNotes user should no longer see a password prompt for accessto encrypted mail.Related information:


Setting up the SAML identity provider and federationDecide whether your organization will use Microsoft ADFS or IBM TivoliFederated Identity Manager (TFIM) as the identity provider for IBM Domino andIBM Notes, and then follow all instructions to set up your TFIM federation orADFS Relying Party Trust to support SAML authentication for Notes federatedlogin. The tasks you must accomplish include creating the SAML federation andexporting the IdP information to a metadata file.

Procedure1. Search the Notes and Domino wiki for an article on the SAML federation you

decide to use, and follow all instructions to configure the federation to workwith Domino.v Cookbook: Setting up new Relying Party Trust for AD FS 2.0v Cookbook: Setting up a new Federation on TFIM 2.0v Cookbook: Setting up a new federation on TFIM 1.1v Cookbook: Setting up a new partner on TFIM

IBM technote #1614543 in the related topics will eventually provide links to allsuch articles.

2. If you are using TFIM as your federation, follow the instructions to configure aDomino server as a TFIM partner in the related topic below.


IBM technote #1614543: Supplementary information on Security AssertionMarkup Language (SAML) configuration combinations of IBM Domino and otherproducts






��

Printed in USA