Tag Archives: Domino

Debugging SAML setups in HCL Domino

If SAML doesn’t work you will probably get Bad SAML Request [/names.nsf?SAMLLogin] in the Domino server console. The first thing you need to do is to add some debug parameters to Domino, the easiest way is to write them on the domino console but you can add the directly into notes.ini or using the configuration document in the Name & adressbook.

set configuration DEBUG_SAML=31

set config WEBAUTH_VERBOSE_TRACE=1

When settings have been enabled you will see a lot more information on the domino console and with in this you will find clues what could be wrong with you SAML setup.

The first thing I check is what is written in the Service provider ID field against what is written on the provider side in ADFS, Okta, Azure or some other SSO provider. This information must be 100% the same so http vs https will brake it or a trailing slash.

Another thing to check if you get strange problems with creating the SP certificate, is to always set your self as full administrator before creating the certificate. Why you might ask, well this is because the action will run code on the server to add the new certificate into the server id and without maximum rights you might run into problems when creating the certificate.

Connecting to Office 365 / Azure, If you have a Domino server prior to version 10 and want to connect this to Azure Enterprise applications using SAML that will not work, trust me I have tried.
You need at least Domino 10 and the new design of the IDP database with the option AuthnRequest SAML 2.0 compatible.

Another interesting findings of mine when implementing SSO Login for customers applications was that one of the sides in Azure or Domino doesn’t keep track of multiple SAML Logins, this show it self as when multiple logins is started only one login response will be returned. I.e if you have embedded multiple Domino iframes on a single webpage they might break due to this, you need to add some thing so only one login request is handled at one time.

As you might understood by now, I can keep going with this due to the amount implementations of SSO I’ve done for clients both in their environment and against our Saas solution QNova Suite or our service eDomino.

Next Implementation is Okta you might run into problems decrypting the SAML data and get one of these errors if you have enabled the extended debug above.

SECCheckAndParseSAMLResponse> VerifyResponseSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> VerifyAssertionSignature : The encrypted data has been modified or the wrong key was used to decrypt it
SECCheckAndParseSAMLResponse> Signature verification check failed : Could not verify cryptographic signature
SECCheckAndParseSAMLResponse> Exiting : The encrypted data has been modified or the wrong key was used to decrypt it

And you go in to the federation metadata xml file that you have downloaded from Okta. and check the certificate and everything looks ok and you wounder what is wrong isn’t Domino and Okta compatible with each other. Yes, they are well you need to be using HCL Domino 10 and above besides that there is a problem in the xml file, so open up the xml file that Okta has provided check each line in the certificate section and you will see that it’s ended with CRLF so the solution is to remove all CRLF with in the X509Certificate section of the XML file and save it and after that do the setup.

Update from the community, if the metadata xml file contains multiple certificates Domino will use the last one so if the file contains multiple certs make sure that Domino picks up the correct one otherwise you will get “The encrypted data has been modified or the wrong key was used to decrypt it” error.
Thanks for the info Jeffrey Redding

This is some of my SSO SAML findings connected to Domino comment below if you have found some quirky thing when you have done setups.

IBM Domino and GDPR, what is this?

On the 25:th of May this year a new set of rules come in affect for companies that deal with European citizens. This will give some basic rights to people and the information related to them.
This will affect all companies in EU or working against EU, so if you are an US based company but have customers inside EU you are affected by this.

  1. Right to know what is stored
  2. Right to be forgotten
  3. Right to correct wrongful data
  4. Right to portability
  5. Right not to be a subject to automated decision making

This will then have some effects on your company and the systems holding the information.

  1. Make sure that you have a data privacy policy
  2. Make sure you know what information you use to what and where
  3. Make sure that you process information on a legal ground
  4. Inform and get consent from users if needed
  5. Make sure that information is safe
  6. Make sure that right people have access to the information
  7. Make sure that you can erase information/anonymize that you don’t have rights to process anymore (Yes, backups also apply)
  8. Make sure that you can correct wrongful information
  9. Have a routine to investigate and report data breaches
  10. Make a list of all your data processors

How can we handle this in a Domino based system then?

Notes names and the Adminp process is a good start to comply with right to correction and right to be forgotten. But you might probably need to adjust your applications
Fulltext search and Domain search can also help you find data that you need to remove and/or correct.
Enable webserver logs to find out what is happening in you webb environment, but remember to clean up this log with the retention policy that you have decided and add that you log things to you privacy policy.

If you need assistance, have questions or need help getting ahead of this feel free to contact me.
Also Follow my twitter flow for GDPR articles in Swedish and English –> GDPR News

I’ve also found a tool that can help you track changes in your Domino environment GDPR Logger
( Contact me if you find this tool interesting )

Some more info in this youtube video by Ytria

 

Making your Domino environment work for you

If you haven’t started using Rest api calls with your Domino environment, it’s time now. This will help you extennd and connect your domino environment to external services or connect external services to your Domino environment.

There is several ways to expose Rest api from the server

  • Domino Data Services
  • SmartNSF on OpenNTF
  • XPage with Json output
  • Domino View displayed as json
  • Lotusscript or Java agent

Here is some ideas what you could do

  • Sending / getting data from ERP system
  • Remote run print jobs
  • Compile Log events from servers or machines
  • Send control files to a cutting machine
  • Get information about how many people is walking thru a door
  • Getting sales numbers from cash registers into the Domino based extranet
  • Automatically get the exchange rate and update this into the system
  • Moving a support case forward in your external helpdesk
  • Connect IOT devices directly to a Domino or use IBM IOT in Bluemix as the collector point

If you have any great additions to the possibilities or need help implementing feel free to contact me or comment below.

Time to update your Domino environment

Today Google released Chrome 48 and has deprecated RC4 as encryption protocol because it’s broken.
This means that if you have an older version of Domino that doesn’t support some other encryption protocol for https.

Domino 9.0.1 FP4 or FP5 will give you the support you need to use updated protocols.

And I really hope Google would implement the Swedish error page for everybody 🙂

screen796

And if you need help contact me.

iNotes, IBM Traveler, IBM Verse, Win 10 Mail

We have all been living with the Mailbox in the IBM Notes client but because I work with lots of different clients I rarely use my own id. Therefore my main mail client has been iNotes / IPhone mail thru Traveler / Verse iPhone app. But when I upgraded my machine to Windows 10 and the Traveler server to the latest version I found that it works great to use the Traveler mail with the Windows 10 built in mail and calendar client.
screen769
Yes it’s a bit limited, mostly that you can only have one email open at a time. You can’t use Outlook because that client is blocked on the Traveler server, probably because some advanced communication that the Outlook client uses. Hopefully they will release that support at IBM Connect this month.
So if you haven’t tried it yet and have a Traveler version that supports the Verse client you can try it you self. Feel free to make a comment on you experience and use of other clients against the Domino server.

 

IBM Domino and Java problem with old applets

All the old Java applets that is YES in some old apps not yet converted used got another problem today on Domino 9 and 9.01. They are now blocked by Oracle because the code signing certificate is outdated, it seams like when they where updated to work with Java 1.7 45 the person who resigned them did that with an old certificate and now that cert is outdated and has been so for 1 month. If IBM or you want to keep track on when your code or SSL certs expires QNova Systems contract management system works really great for this purpose and many more things, contact me if you want to know more. An interesting thing will also to see if the new code cert created with SHA-2, because I don’t think you can get one with SHA-1 anymore and this will make Java 1.6 outdated because it doesn’t have support for SHA-2.

I’ll keep you updated on this matter.screen392

News from IBM ConnectED15

Some of the news from IBM Connect

IBM releases early access to IBM Verse.

IBM Verse will come an an Domino solution for on premise deployment later this year

The Domino HTTP engine will get more updates that the previous released updates with SHA2 and TLS 1.0

It will get new HTTP security options as TLS 1.2, PFS and AEAD

screen103

screen104

the IBM HTTP server addon released with Domino 9 will be deprecated

screen105The NSF Datastore will get updates that we have all wanted for a long time.

View Indexes outside of the database and with this and DAOS we are breaking the 64GB nsf database maximum finally.

Live view updates is a server task that will pull and update view indexes with a interval of your choice this update is already in 9.0.1 FP3

screen106

XPages will receive support for encryption and signatures

New backend classes for XPages, Lotuscript and Java agents

There are plans for future upgrades to update java in Domino to 1.7 or 1.8

screen108

screen112

XPages support in Bluemix, see Niclas article 

Availability for this great new functionality is Q2 2015, price has not been announced yet.

This is the news I have captured, if I missed something please comment

Part 2 of Partial Refresh in Notes Forms

I couldn’t actually accept myself defeated in the battle to get partial refresh into old school Notes applications. And after a second look at my code I found a way, so I rewrote the javascript library to be a javascript object class so all calls are made inside the class. So now partial refresh of the entire form tag is the standard way of refresh but you can also narrow the refresh to everything inside a div or a table sell if you want to. And Serverside refreshes from a QuerySave agent also works.

So what you need to do is to add the AjaxCall scriptlibrary to your database.

Call the function PartialDomino.onloadAjax() in your onload event

Now all refresh events on the form will be handles as partial refresh.

If you want to also add clicks from a button, give the button a id and add that id using PartialDomino.addPartialRefreshId(“refresh”,””)

The next time the button is clicked a partial refresh is done.

If you would have added a second id to the function, only the element with that id will be replaced after the refresh.

Download the database and see the working example

disk

PartialDominov2.zip

Holiday Hack: Get some XPage power in old Notes apps

UPDATE: Post with fully working example with serverside redirects working

One of the great things with XPages is the partial refresh that help you to update information inside the page without a full reload of the page. Well that is not possible with older notes applications because it does a full roundtrip to the server each time we change something. But we can update the screen without the users notice it with ajax. What I did was create a copy of the main js function that Domino uses _doClick and replace that with my own copy of that function in onload.

function onloadAjax(){

  window._doClickNew=window._doClick

  window._doClick=window.newDoClick

}

I store the original function within _doClickNew that is the great thing in this case with javascript. Everything is an object including functions and I can place myself before the original function. My function will now be called when something happens on the Domino form. There is two types of events on a old school Domino form. There is a refresh post and a full post, the script detects if you are trying to do a refresh post and convert that into a ajax request. You can also add entries to an Javascript array PartialRefreshArray by pushing new entries PartialRefreshArray.push(“mybutton”) if you then add a button to the form with the id mybutton it will also be ajax refreshed.

But there are some down sides to this functionality, we can’t use server side redirects. When the form is posted the referer is used when returning data, and because we have ajax refreshed the form the url isn’t updated correctly if we have created the document using the following url

server/database/form?openform

What we need to do is to create the document before we open it the first time and load the document using

server/database/view/UNID?editDocument

If that is used the code can imitate partial refresh, but remember no server side redirects can be used, webquerysave agent runs but not the redirect, so if you want to move away from the form you need to use client side JS.

I’ve created a simple database to show the functionality that you can download here 

disk

Conclusion, the partial refresh behaviour can be added but then you need to hack any redirects done using agents and you need to pre create the document and have a scheduled agent to delete the forms not saved.

This is only an hack example not any production code, and may stop working if IBM/HCL changes anything.

 

Setting up a sFTP server to be used with an existing Domino SSL certificate

With the new way of creating SSL certs for Domino a new opportunity occurred to me and actually it worked great. Because we create the certificates using OpenSSL the generated Key and certificate can actually be used on the same server to setup a FTPS server. Saidly because the Domino FTP server on OpenNTF.org doesn’t support FTPS I had to use the FileZilla server the setup was super simple.

Run the setup

go into settings and enable FTP over SSL select your .Key file and your certificate file that you got back from your certifier. Also check the other option to force all connections to the server to be FTPS.

FileZilla Server Settings

And now you have a FTPS server that can deliver external content to you Domino server. The last thing you need to setup is the users and groups that should be able to connect to the server.

Update: Paul Farris commented that this is an SSL based FTP server not an SSH based so the real name should be FTPS not sFTP.