Inform2015 - What's New in Domino 9 & 9.0.1 for Admins

What’s New in IBM Domino 9 and 9.0.1

Jared Roberts | Senior Consultant

primaxis.com.au

June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015

Don’t sue me ?

This presentation may contain the following copyrighted, trademarked, and/or restricted terms:

• IBM® Notes®

• IBM® Domino®

• IBM® Connections

• IBM® WebSphere®

• IBM® DB2

• IBM® AIX®

• Tivoli®

• Linux®

• Java®

• Microsoft®

• Windows®

• Red Hat®

• Skype®

• Twitter®

• Facebook®


Speaker Info

Jared Roberts● Senior Consultant – Primaxis

Notes & Domino since v6Not an IBM ChampionDon’t have 10 Lotus certificationsDon’t think I know everything

Over 50 Notes/Domino environments - large & small

Many many many Notes/Domino 6, 7, 8 & 9 upgrades/installs

Traveler 8 & 9, Sametime 8.5.2 & 9, Connections 4, 4.5 and 5

● 10 years in Admin

WebSphere Application ServerTDI IntegrationIaaSM$ OfficeOK Developer (as long as there’s not too much heavy lifting!)

Drummer in Thrash Metal Band


• This presentation represents my individual experiences, thoughts and opinions and do not represent of the views of my employer, Inform2015, AusLUG, IBM, IBM Business Partners or any other organisation or entity.

• I (most likely) don’t know more about stuff than you do…. feel free to call me out on errors in my presentation & publicly humiliate me as you see fit.

Disclaimer


Agenda

● We’ve upgraded now……..right?

● The NEW stuff that you NEED to look at

Program Docs – pattern matching & Wildcards

DBMT

Compact –REPLICA

QoS

Fault Reporting Disposition

Policy Settings

Widgets Settings

SAML

TLS

Embedded Experiences


Agenda

● The OLD stuff that you NEED to revisit!

ID Vault DAOS

TDI

Auto-Pop Groups

User Workspace Roaming

SSO for Web Clients


“How to Upgrade”


Now I’m upgraded right?


Have you……?

Upgraded Domino DirectoryUpgraded On Disk Structures (ODS)Reviewed Programs and maintenanceEnabled DBMTImplemented Replica CompactingImplemented Fault Reporting DispositionImplemented QoSEnabled Design CompressionEnabled Data CompressionEnabled LZ1 CompressionUpgraded Mail TemplatesUpgraded Notes ClientsImplemented ID VaultImplemented Transaction LoggingReviewed LDAP Schema and accessImplemented TLS for Web ServersChecked your Catalog tasks

Reviewed Policy FeaturesReviewed Security SettingsReviewed Desktop SettingsEnabled and configured DDMEnabled Admin Probes by defaultConsidered implementing DAOSConsidered Implementing SAMLConsidered syncing AD dataConsidered Embedded Experiences

What about Traveler?What about Sametime?What about Connections Files & Profiles?

What about backup?What about Anti-Virus?


THE NEW STUFF !


Program Documents

• Pattern matching– the question mark (?) allows you to include all servers where one or more

subsequent characters in the server name vary

For example

– Mail??/SVR/Springfield will include Mail01/SVR/Springfield and Mail02/Springfield


Program Documents

• Wildcards– You can also use an asterisk (*) anywhere within a server name

For example

– *01/SVR/Springfield will include Mail01/SVR/Springfield and Apps01/SVR/Springfield

• Groups– You can use Domino Groups that contain servers


DBMT

• Database Management Tool

• Improvement on the db maintenance that you know (and love!)

• DBMT does all of the following:– runs copy-style compact operations

– purges deletion stubs

– expires soft deleted entries

– updates views

– reorganizes folders

– merges full-text indexes

– updates unread lists

– ensures that critical views are created for failover

– fixup of corruption


DBMT

• Why use it?– Replaces the need for running Compact on non-system databases.

– Replaces the need for running of Updall (if run on all dbs)

– Eliminates the “Your view is being updated on the server” message when you fail over to a cluster replica.

– In a clustered environment DBMT will review the cldbdir.nsf to ensure a replica is available at all times.

• If you haven’t already – Revisit your current compact strategy!


DBMT

• Where it is not used– By default does not compact system databases

– Will perform updall and fti operations

• System databases not compacted by DBMT:

• Additional system databases (ie secondary directories) can be specified:– DBMT_FILTER=names2.nsf,names3.nsf,mailjrn.nsf

admin4.nsf busytime.nsf catalog.nsf cldbdir.nsf clubusy.nsf daoscat.nsf ddm.nsf domlog.nsf

events4.nsf log.nsf lndfr.nsf names.nsf statrep.nsf dbdirman.nsf dircat.nsf mtsore.nsf


DBMTHow to use it

• Can be started from the Server Command Line

• Can be automated by using Program Documents– Multiple maintenance procedures are easier to maintain

– would be nicer as a tab in the server doc?


DBMTHow to use it

load dbmt <database, folder, IND file> <options>

-compactThreads <n> Use <n> threads for compact where n is between 0 & 100 inclusive

-updallThreads <m> Use <m> threads for updall, where m is between 0 & 100 inclusive

-ftiNdays <f> rebuild the full text indices every <f> days from creation

-ftiThreads <g> Use <g> threads for the rebuild of the full text indices, where g is between 1 & 100 inclusive

-force <n> Take the DBs offline for fixup & compact.Where <n> is the day of week to do the force (1: Sunday, 2: Monday, etc) 0 is any day

-CompactDays <p> compact DBs that have not been compacted in last <p> days

-timeLimit <q> only run compact for <q> minutes

-range<s><e>

only run between times <s> and <e> daily. Must be over 10 minutes between <s> and <e>Times must be specified in 12hour format with a required AM / PM (ie 03:00AM)

-stopTime <e> only run between now and <e> once

-noCompactLimit allows compact to run past the end time to finish, but no new compacts will be started


DBMTCompacting

• If there is limited time for compacting – DBMT will compact databases until it runs out of time– Set amount of time (ie 60min)

– Set time (ie 7am)

• Compacts will cease if they are incomplete – then RESUME when DBMT runs the next time– pretty cool!

• No input from Admin needed!


DBMTMail File – Disable Compact Abort

• Traditionally – when mail is delivered by the mail router to a mail file that is being compacted, any compact operation will be aborted. (or not started)

• Use MailFileDisableCompactAbort=1 in the NOTES.INI on Domino Server

• Or you can run DBMT with the -noCompactLimit switch.– Mail arriving in mail.box for delivery to a user while their mail file is being compacted

will remain undelivered in mail.box on the Domino Server

– The router will periodically retry delivering new mail to the user, but will not succeed until the current compact completes

– Once compact completes, the new mail waiting will get delivered on next retry by the router

– May be an issue for high-touch large mail files


DBMTMail File – Enable Delivery Failover

• Router has ability to failover mail delivery to an available cluster replica when:– Copy-style compact of mail file is in progress

– Fixup of mail file is in progress

– Mail file doesn’t exist (maybe deleted)

• Use MailFileEnableDeliveryFailover=1 in the NOTES.INI on Domino Server


DBMTMail File – Enable Delivery Failover

• DBMT will use the cldbdir.nsf to determine if it should compact the mail file on a Cluster mate on this day to make sure all Cluster Mates are not compacting same replica on the same day

• When delivery failover occurs:– Out of Office OK

– Mail Rules OK:But all Cluster members need to be specified in “Allowed to use monitors” configuration in Server Doc Security Tab.

– $MailClusterFailover item will be appended to the note with a value of the Domino Server name of the server where the note was actually delivered to.


DBMT

Compact Filter Indirect File

• You can use an Indirect file (.ind) to specify exceptions for compacting by DBMT. This way you can prevent a db being compacted automatically if it needs to be available all the time

• dbmt_compact_filter.ind


DBMT

Multiple DBMT Instances

• You can run multiple DBMT instances – however you should do this carefully– Prevent task overlap

• If DBMT is running on all databases on the server – any second attempts at starting DBMT will be halted.


DBMT

View Indexes in Mail Files

• DBMT will create, update and mark ‘non-discardable’– awesome

– Improve the user's fail over experience by keeping the View indexes up to date

– Eliminates the “Your view is being updated on the server” message when you fail over to a cluster replica.

– If many users are failing over this could lead to long delays and heavy loads on the server.

• Inheritance needs to be enabled for the Database design


DBMT


• By default – only works on following mail templates:– StdR7Mail

– StdR8Mail

– StdR85Mail

– StdR9Mail

• And on these views:

($Inbox)($Drafts)($Sent)($All)($RepeatLookup)($ToDo)($Calendar)

($Haiku_TOC)($Alarms)($iNotes)($Users)($iNotes_Contacts)($ThreadsEmbed)


DBMT


• This can be customized to allow further templates and Views to be included with these NOTES.INI parameters– DBMT_MailTemplate=templatename1,templatename2,templatename3

– DBMT_TemplateName=ViewNameOrAlias1;ViewNameOrAlias2;...ViewNameOrAliasN

• Substitute TemplateName after the DBMT_ with the inherited database Template Name

• Substitute the ViewNameOrAliasN with database View Name or Alias and separate them with either semicolons or commas

• NOTES.INI settings are restricted to 128 characters


DBMT

Running from Program Document

• The ‘Server to Run On’ field may have:

• The full name of the server

• A cluster name to run on the servers in a cluster

• A wildcard asterisk on the left of a hierarchical name to run on all servers in an OU

• A wildcard asterisk anywhere in the hierarchical name to run on specific servers – ie: Mail*/SVR/Springfield

• Wildcard question marks – ie mail??/SVR/Springfield

• An asterisk to run on all servers

• A server group. Group type must be 'Servers Only’ type


DBMT


• The following will run DBMT on the mail folder on Mail01 server for 60 minutes at 3am.


DBMT


• The following will run DBMT on the mail folder on all mail servers at 3am. But terminates at 6am because Users start work at this time.


DBMT


• The following will run DBMT for 3 hours on a Saturday on all databases except those specified in the compact filter at 3am.


DBMT

Statistics

• After DBMT Completes the statistics are listed in the Server Console– The last run can be shown with command: show stat dbmt


DBMT

DAOS

• DAOS is enabled with “compact -c -daos on” – This is not available through DBMT.

• DBMT works on DAOS enabled databases the same way as Updall and Compact


DBMT

Last Compact

• New feature in Admin client– Great info for checking if compacts are being done in timely manner


DBMT

Fragmentation

• DMBT causes fragmentation– Need to factor defrag in dbmt schedule

• Applications available that support DBMT and defrag in one schedule


Compact Replication

• Compact –C– Copy (.tmp) and replace

– Database inaccessible for the duration of execution

– Preserves NoteIDs

– Used with fixup to resolve db corruption, but if ID table heavily fragmented, compact unable to resolve.

• Compact –REPLICA– Replica (.repl) and replace

– Database accessible, except for the rename phase

– Internally reorganizes the IDs in the new replica; thus, does not maintain NoteIDs

– Primarily used as a preventative, but also used as a resolution

– Used for dbs that are potential targets for, or have history of fragmented ID tables

– Not a replacement for compact -c, but a complimentary option


Compact Replication

"Unable To Extend an ID Table - Insufficient Memory”

“Insufficient Memory”

• Cause:– Many Adds and Deletes from the database

Ie: log.nsf or high-touch business application

• Usual workaround:– New Replica

– New Copy

– Restore from Backup (uggghhh)


Compact Replication

• Optional ID Table analysis - Calculate fullness of ID table to determine need for compaction

• Creates/synchronizes temp .REPL database with original .NSF database - Get initial full set of notes– Note copy phase: keeps existing and deleted notes in contiguous sets

– View synchronization: Builds views in temp .REPL db to match .NSF

– Unread synchronization - Builds unread lists in temp .REPL database to match original .NSF

• Replace:– Drop all users from original .NSF database

– Take original .NSF offline

– Rename original .NSF to .ORIG database

– Rename new temp .REPL database to new .NSF database

– NOTE: If rename cannot complete, compact replication proceeds from this point at next opportunity (at next initial db open OR Domino server restart. Can force with -RESTART option.)

• Sync new .NSF with original .ORIG database – new updates since initialization– Note copy phase

– View synchronization

– Unread synchronization

• Bring new .NSF back online and delete .ORIG version.


Compact Replication

-REPLICA RequiredCreates a new replica in the background while compacting. The new replica is automatically renamed, and the source application remains accessible except during actual renaming. Also applies any of the three following optional parameters specified.

-REN_WAIT n Optional

Creates a new replica while compacting. Waits n minutes before renaming replica.

Example: -REN_WAIT 10 allows 10 minutes for compact process to complete replication and synchronization to attempt renaming

-RESTART OptionalCreates a new replica while compacting. If automatic renaming of replica does not succeed, restarts the server and completes the renaming of the replica after server startup.

-IDS_FULL n Optional

Creates a new replica while compacting, but only after a specified n percentage of IDs in application has been reached.

Example: -IDS_FULL 80 creates replica only after 80% of space for IDs in original application is full.


Compact Replication

• Example 1– Single db at Console– Retries rename for 10 minutes if unsuccessful

• Example 2– Single db using Program Document– Only compacts when IDTable is at 80%. Run early in morning as application likely not used at this time. No restart

• Example 3– Multiple dbs using Program Document and Indirect file (.ind)– Ind file contains 3 system databases. Server will restart because files are always in use


QoS

• Monitors general operation of Domino server– Health & Performance, Stability, Applications, Server Hangs

• May be configured to email an Administrator or even restart the server!– ie - application is hung or memory issues

• Controlled by Notes.ini settings and dcontroller.ini settings

• Requires Domino to be running under Java controller– nserver -jc


QoS

• Configure QoS basic options (in dcontroller.ini)

– QOS_PROBE_INTERVAL=

– QOS_PROBE_TIMEOUT=

– QOS_SHUTDOWN_TIMEOUT=

– QOS_RESTART_TIMEOUT=

– QOS_APPS_TIMEOUT=

• First time stating the Domino server under the Java Controller will create the dcontroller.ini file


QoS

• Identify critical server operations to pause QoS– ie – backup, large data operations

• Configure SMTP recipients

• Configure NO KILL option– QOS_NOKILL=1

• Configure QoS restarts limitation

• Verify the QoS is running


QoS

Caveats

• Not supported on Servers with ID Passwords• Any auto-restart will just pause at the password prompt

• QoS Timeouts may be too low.

• Don’t enable QoS without Transaction Logging



• Enhanced Fault Reporting introduced in v9

• Expanded to include a by Disposition view

• All faults when analyzed have a disposition value that categorises as:– Problem

– Possible Problem (possibly actionable)

– Possible Problem (likely NOT actionable)

– Informational

– Unknown (investigate)




SAML

• Security Assertion Markup Language– Protocol and process for exchanging authorisation and authentication data for a user

between services and servers

• Requires Identity Provider (idP)– Ie Active Directory FS or Tivoli FIM

• idP communicates to Service Provider (SP) via XML assertions– ie Domino, Notes, WebSphere

• Assertions have three roles– Authentication, Authorisation, Retrieving Attributes


SAML

BP104 – 2014 - Chris Miller/Gab Davis


SAML

• Choose your idP– The most obvious choice is Active Directory if you are Windows environment

• Configure the idP– relying party trust, claim rule, metadata XML file location

• Configure the SP– ie Domino, Notes, WebSphere

• Read the “Supplementary Information on SAML…” technote– http://www-01.ibm.com/support/docview.wss?uid=swg21614543





• Render 3rd party applications into your Notes client– IBM Connections, xPages applications & more

• Requires OpenSocial Component installed

• Relies on Widget Catalog and Credential Store

• Enabled for users via Policy

• Supports SSL/TLS & Clustering– Config gets a little more complicated though!


Widget Settings

• Supports OpenSocial Gadgets– Can be imported, reviewed and approved

• Can be configured for specific client releases


Widget Settings

• OpenSocial Widget approval history and expanded status info

• XPages User Interface


TLS

• TLS 1.2 Now Supported in Domino native HTTP stack– Domino 9.0.1 FP3 IF2 and Notes 9.0.1 FP3 IF3

• IBM HTTP Server no longer needed to front Domino Web servers!

• Can use Notes.ini value to set Ciphers– SSLCipherSpec=nnNNnnNN

• IE, Firefox, Chrome have methods to disable SSLv3

• Some Domino tasks still run on SSLv3 – DIIOP, iSpy


Other cool stuff worth a mention!

• SHA-2 Support

• Custom LTPAToken names in Web SSO Documents

• Notes Browser Plugin

• Credential Store (credstore.nsf)– Used for sharing credentials for Oauth protocol

– Used for configuring Embedded Experiences

– Can be used in a cluster


Other cool stuff worth a mention!

• Discover Page Options


THE OLD STUFF


ID Vault

• What it does…– Uploads copies of ID files for existing users

– Adds ID files to vault during registration of new users

– Reset forgotten passwords (Help desk)

– Synchronization of ID files across multiple computers

– Integration with iNotes/Web

– Auditor function to gain access to encrypted data

– Marking of ID files as “Inactive” (via adminp when deleting users, directly in vault)

• Why do it…– Simplifies provisioning of Lotus Notes ID credentials

– Streamlines process for resetting forgotten passwords(Help desk options, Programmatic interfaces for self-service password applications)

– Automates ID file maintenance(ID file synchronization, renames, key rollovers, replacement due to loss or corruption)

– Supports processes for legal discovery/access to encrypted data, potentially

– preventing the loss of valuable information


DAOS

• “Just enable it…?” ……. No

• Run the DAOS Estimator– Minimum Participation Size

– Don’t enable it on certain system databases

• Repository Location

• Mail.box

• Understanding of Backup is important– Deferred Deletion Interval

– Pruning

– What not to back up


TDI

• Entitlement to use with Domino!

• Can set up simple or complex assembly lines

• Can sync data from AD to Domino and Vice Versa

• Set up Connectors, build your Assembly Lines and off you go!– Sounds easy right?


Auto-Pop

• Specify Update interval in Domino Directory Profile

• Uses background LDAP search

• Can Populate users by Home Server

• Customisable…?– http://www.eknori.de/2008-06-10/tweak-the-auto-populated-groups-feature-in-

domino-85/


User Workspace Roaming

• Workspace Tabs and Application links

• Contained in bookmark.nsf

• Enabled by default when user is upgraded to Roaming

• Can be enabled/disabled by Custom Settings in Notes.ini– DISABLE_WORKSPACE_ROAMING=1


SSO For Web Clients (Windows)

• Great for Windows environments that use many Web Apps

• Set up Multi-server session-based authentication– and Windows SSO integration

• Assign Server Principal Names (spn’s) to specified AD User– Assign one spn for each URL used on the Domino server(s)

– Use domspnego.cmd

• Domino Windows service starts as specified AD user– Often this user must be in Admins group on the host server

• Configure User Name Mapping– Use DA if Users managed in AD, Person Docs for Domino

• Enable Browser Support– IE, Firefox, Chrome

• Careful consideration for existing SSO and Client authentication


Summary

• Upgrades aint upgrades

• Domino 9 introduces a bunch of new features to help us Admins as well as impress the users!

• An upgrade or migration is a good chance for review as well– We’re often too busy and stick to old ways rather than taking the time and learning

something new!

• Keep your users in the loop as to what’s happening!

• Subscribe to the techy newsletters that give you up-to-date info on Fix Packs, HotFixes and Feature Releases.


QUESTIONS?

COMMENTS?


THANKS!

Be sure to check out the following sessions:Unmask The True Potential of xGrid | Sumit Tayal | Today | 2.10pmYtria – Making Life Easier for Admin & App Dev | Steve Hooper | Today | 3:25pmWhat’s new in IBM Notes & iNotes 9 | Karen Hooper | Tomorrow | 8:45amxPages Tip & Tricks | Johan Poot | Tomorrow | 8:45am

Jared Roberts@jazzaroberts

jazzaroberts

jared.roberts99

jazzaroberts


References• DOMINO HELP!

• IBM Knowledge Center– http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/welcome/domino_9.0.1.html

• What’s new in Domino 9.0 and 9.0.1– https://www-01.ibm.com/support/knowledgecenter/#!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_r.dita

– https://www-01.ibm.com/support/knowledgecenter/#!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_901_r.dita

• Using DBMT and Compact Replication– http://www-01.ibm.com/support/docview.wss?uid=swg27039379&aid=1

• ID Vault Overview & Best Practices– http://www-01.ibm.com/support/docview.wss?uid=swg27037703&aid=1

• Simplifying the S’s– http://www.slideshare.net/gabturtle/bp104-saml

• Fixing Domino Sickness– http://www.slideshare.net/gabturtle/fixing-domino-server-sickness

http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/welcome/domino_9.0.1.html

http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/welcome/domino_9.0.1.html

https://www-01.ibm.com/support/knowledgecenter/%23!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_r.dita

https://www-01.ibm.com/support/knowledgecenter/%23!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_r.dita

https://www-01.ibm.com/support/knowledgecenter/%23!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_901_r.dita

https://www-01.ibm.com/support/knowledgecenter/%23!/SSKTMJ_9.0.1/admin/over_whatsnewinibmdomino_social_edition_901_r.dita

http://www-01.ibm.com/support/docview.wss?uid=swg27039379&aid=1




http://www.slideshare.net/gabturtle/bp104-saml

http://www.slideshare.net/gabturtle/bp104-saml

http://www.slideshare.net/gabturtle/fixing-domino-server-sickness

http://www.slideshare.net/gabturtle/fixing-domino-server-sickness

Software

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins