Helpful Tools – Ytria EZ Suite (part 2)

Two weeks ago I wrote about Ytria EZ Suite, a set of tools for HCL Domino that I have been using for years. Unfortunately there were so much to write about the tools that I had to split it up into multiple blog posts. This is the second article about the tools that comprise EZ Suite. In that first post I covered scanEZ, consoleEZ, actionBarEZ and viewEZ, and if you haven’t read it yet, you can find it here.

Most of the tools I previously covered were aimed more towards developers, especially actionBarEZ and viewEZ. The consoleEZ tools can also be very useful for a developer who needs to keep an eye on the server console for potential error messages from agents being executed on the server. But Ytria offer tools directly geared towards administrators as well, so today we will take a look at them.

The first of these tools is aclEZ, and as the name indicates it is used to manager the ACL (Access Control List) of Domino databases. You get an overview of who has access to the databases, and you can modify, create and of course delete entries. You are of course not limited to displaying one database, you can select multiple databases and compare the ACL settings between the different databases. You can also copy ACL settings between databases, so you can setup one database with the proper security settings and then copy them to as many databases as you like on your server.

Ytria is using a configurable grid to display columns in all their tools. This is making it easy to view just the info you are looking for. Columns can be hidden or displayed, sorting can be set, and much more. I find this flexibility very helpful, there are often columns I am not even remotely interested in and now I can just prevent them from being displayed.

In addition you can sort the columns in the grid, and also apply filters so only values matching a specific criteria are displayed.

This is just a couple of examples of the many details I enjoy with the Ytria tools. They have over 20 years of experience creating tools for Notes and Domino professionals, and that shows. Everything is well thought through, and the tools offers great flexibility.

A tool I find extremely useful is databaseEZ. It allows me to get a high level view of all databases on a server, check things like the ODS version, if they are full-text indexed or not, the database size,, when they were last compacted, and also look at the size of the view index for each view in a database.

All this information helps me for example if I need to find out why a Domino application is slow, or which databases needs maintenance first. Almost this information can be accessed from the Domino Administrator client, but not in this easy to read format. Instead you need to open a number of different views and dialog boxes in each database. This is a huge time saver!

The last tool I want to mention today is replicationEZ. As the name states, this is a tool to locate and compare replicas of databases on different servers. Like in the other tools from Ytria, there are too many functions to list them all. I would like to mention a few that I find very useful.

Here I have loaded two of my servers into the replicationEZ grid, and it is now easy to see that there are a couple of databases I don’t have replicas of on my secondary server. I am also loading and comparing the number of documents and deletion stubs in two replicas of a database, and you can see there is a discrepancy on the number of deletion stubs between them (highlighted in red).

It is of course easy to create new replicas, or rather a replication stub. This is another example of how Ytria added functionality that I miss in the native Domino Administrator. Instead of having to sit and wait for a new replica to be created and all documents replicated to the new server (or start the replication, cancel out after a few documents have been replicated, and then let the Domino server finish the replication in the background), replicationEZ creates a replication stub, and I can continue to work while the full replica is created.

There are a few more tools from EZ Suite that I want to talk about, so check back in a few days for the last blog post.


#DominoForever – Release Day

Finally it is here, the new version of IBM Domino. After the world premiere yesterday in Frankfurt, the world-wide launch is taking place today.

The focus in this release is on application development and administration. Features like self-healing of databases and increase of the maximum database size to 256 GB are among the most popular with administrators, while developers have a number of exciting additions.

The two most talked about features are the new Domino Query Language and node.js integration with Domino. Domino Query Language has been written from the bottom up to be fast, and the demonstrations I have seen confirms this. It is fast, very fast! And it can handle searches that would not only take a long time to create in earlier versions of Domino, but would take forever to run. Now the result comes back in a second, or even less. This really blew my mind when I first saw it earlier this year. John Curtis, the engineer that pretty much single handed wrote this code, did an amazing job, fully on par with when Damien Katz rewrote the formula language in ND6 and increased the performance several times over.

The second big feature of Domino 10 is the integration with node.js through the domino-db connector. It will be delivered in a separate application development pack, which will enter beta this week. This is a slight disappointment, I had been hoping this functionality would be available at the launch. But I rather wait the time that is needed for IBM and HCL to make it a fully stable product, instead of rushing something unfinished to the market.

Another product announced today was Notes for iPad, which makes it possible to run existing Notes applications unmodified on an iPad. All the functions we know and love are supported, like replication, offline access to applications, Lotusscript, Formula language, and more.

To support mobile Notes applications, there are enhancements in Lotusscript, for example camera and GPS support. Lotusscript has also been extended with other new classes, for HTTP requests and JSON parsing directly in native Lotusscript. No need to call Java or system API:s anymore!

HCL has done an amazing job in a short time, and Domino is on its way to become a very powerful and extendable platform for modern web development. A company can now not only deploy their existing business applications on iPads, they can also hire young developers who have experience of node.js and modern frameworks/libraries like Angular and React, and have them develop new solutions that can access existing data in Domino databases. Why use Mongo DB for data storage, when you have the much more secure Domino server available?

Domino 10 is not the end point. Domino 11 will be out next year, and IBM/HCL have committed to a long future for Domino. Forget #domino2025, now it is #DominoForever!

If you were not able to attend any of the launch events, here is the live stream from Frankfurt :

1 Comment

Rebuilding my Domino infrastucture

Recently I did some long overdue changes to my Domino infrastucture. Many years ago, when I initially setup my Domino server, I put it in the domain /Martinsson, since my domain at that time was (as well as The server was just for practice and fun initially, but I ended up doing more and more.

In 2013, when my wife Christina and I started a small business, I added additional internet domains to the server. Our business Demand Better Solutions strated getting some traction, and I changed my email address from to But I kept having issues with the outgoing email. Often people did not get my emails since they ended up in their spam folder. I figured that it had something to do with the domain

It was time to bite the bullet and do something. I decided earlier this year that I would setup a server from scratch, on a new hosting service. I arranged hosting with Prominic, a company specializing in high quality Domino hosting. The account was setup in no time and the Domino server was ready to be configured. My new Domino domain would from now on be /DBS.

I am not a stranger to installing and configuring Domino servers, but I decided have a real administrator set up it up for me, to get everything perfect..This way I would hopefully also learn something. Another reason I wanted some help had to do with setting up cross-certifications with my old server in the old domain. My plan was as follows:

  • Set up the new server
  • Cross-certify the two servers and admin accounts
  • Replicate over all databases from the old server to the new
  • Update the ACL on all databases and remove references to the old server
  • Delete the old server and all data files
  • Install a second Domino server in the new /DBS domain
  • Set up replication between the two servers (on different hosts)

I was lucky enough to get help from one of the best, Lifetime IBM Champion Gabriella Davis from The Turtle Partnership. If you need high quality admin help or advice, with Domino or IBM Connections, Gab is outsanding.

Gab helped me set everything up on the new server, I replicated everything, fixed the ACL settings and deleted the old server. The build of the secondary new server went off without any issues, which is not surprising when you consider the stability and maturity of the Domino server platform.

I updated all DNS settings, replicated all databases to the second server, and I was ready to rock’n’roll.

Everything worked well for a while, until I noticed that some email services still categorized a number of my emails (but not all of them) as spam. I did some research and realized that I never changed the SPF record for my domain to point to the correct mail server.

SPF is a email validation system, it works similar to a DNS lookup. When a mail from my domain arrives at a mail server, it performs a lookup to get my SPF record. This record, which is just a plain text string, describes which server(s) are allowed to send mail on behalf of my domain. If the server connecting to the mail server is listed in the SPF record, the email is accepted.

I updated the SPF record, and everything now works perfectly.

This is just another example of how powerful but still easy to use IBM Domino is as a server. The only issues I had were external ones, not related to Domino. Kudos to IBM (as well as the original developers at Iris) for building such a robust and still easy to use platform.




1 Comment

Free Software – Password Reset for Notes/Domino

Earlier this year I was asked to research some alternatives for a web-based password reset function at my work. One of the larger support burdens are users who forget the passwords, especially in the first few days after changing it. We have a 90 day password lifespan, then a new password need to be picked. Some users wait until the last minute, which usually is Friday afternoon right before they go home, making it very likely that they will forget the new password over the weekend. Another big group is auditors, who may come in every 6 months or so, and by then their passwords have of course already expired.

I first looked at some COTS solutions from HADSL (FirM) and BCC (AdminSuite). They were both very competent, and in addition have several other functions that I really would like to have in my environment (like synchronization between Domino Directory and Active Directory). However, as my company is in a cost saving phase, I was asked if I could build something myself, so I played around a little, and came up with a small and simple application.

The application contains two web pages. The first page (Setup) is where the user will setup the security questions used for password recovery as well as entering an external email address that they have access to even if locked out from the Domino account at work. This page is protected by regular Notes security, so the users need to set this up before they lose access to their account.

The second page (Request)is where the user can request the password to be reset. After entering their Notes name, the user is presented with one of the security questions. If the question as answered correctly, the user can now enter a new password. If the question is wrong, another of the questions is presented to the user. I am also using regexp to make sure that the password match the requirement our organisation have for password strength.

Both pages are built using Bootstrap (v3.2.0),  jQuery (v1.11.0), and for the icons I use Font Awesome (v4.2.0), all loaded from BootstrapCDN. I also use a few local CSS and Javascript files to handle older versions of Internet Explorer. The process steps were created using code by jamro and you can find the code here. By the way, Bootsnipp is a great resource to avoid having to invent the wheel again. There are hundreds of free snippets of code there to build neat Bootstrap functionality.

When the user fill out and submit the setup page, a document is created in a Notes database. When the user need to reset the password, the security questions and answers are retrieved from that document. To prevent unauthorised access to the Notes documents, they use Readers fields to prevent them from being visible to anyone but the signer of the agents running on the server.

This application can of course be updated with more functionality. Instead of allowing the user to pick a password, one could be generated by the server and sent through email to the address entered during setup. There are probably other things that can be done to adapt this application to the needs of your organization. And you probably want to change the logo on the pages to fit your organisation.

You can download the application here. It is licensed under Apache 2.0. I will try to get it up on soon as well.

Read the “About” page for instructions on installation and setup, as well as full license and attribution. Enjoy!


Lotus Notes at my work threatened by Microsoft bug


The company I work for is owned by a large multinational corporation, and we are one of the few places not using Outlook/Exchange, but Lotus Notes. We have a substantial investment in custom applications written for the Notes platform, and with the deep integration between applications and email, we want to stay on the platform.

However, earlier this year, a threat against Lotus Notes reared it’s ugly head. Executives at my company were sent meeting invitations from Outlook by other executives in other companies in the group. Some executives received the invitatiosn fine, and could accept/decline, while other got just a plain text email or even blank email. I was tasked to research this, and it seems to be an issue on the sending side. If the sender have the recipients address in their Outlook contacts, the invitation is sent in one format (rich text), if the recipient is not found, it is sent as MIME. So the mail with the invitation is sent in different format by Exchange, with different MIME types (text/calendar vs. text/plain).

It is actually easy to replicate the issue. Send a meeting invitation from Outlook to a Notes user not/never listed in the Outllok contacts. It comes across perfectly:


Then add that same address to the Outlook contacts and send another invitation. It comes across as a balnk mail, with only the message disclaimer from Exchange visible:


There is an IBM technote about this, but there is no solution listed. IBM simply suggest contacting Microsoft. There is a workaround, but that involves all Outlook users changing the default outgoing mail format from rich text to plain text, or to edit this on each single contact. I even had a couple of users here (who also had Outlook mail accounts) try that. It worked in some cases, but not always. And this is not going to work, thousands of users (or at least several dozen executives) will not make all those changes just to accomodate a small Lotus Notes shop like us…

I am continuing to look for a solution, but it has to be one that we can implement on the Domino mail server(s) here. I found a suggestion to add TNEFEnableConversion=1 to notes.ini, I am having my administrator implement that right now, so we will see if that helps. But if that does not fix it, or I can’t come up with some way to process the incoming meeting invitations and fix the MIME type, I can see a number of executives working really hard on getting rid of Notes (at least for mail) here. And that will happen soon…

So, anyone got any ideas?


Update 08/07/2014: I found out that TNEFEnableConversion=1 was already enabled on our mail server, and had been for several years. It seems to also be related to winmail.dat being attached to incoming Outlook mail. I have opened a support ticket with IBM as well.

Update 2 08/07/2014: Within a couple of hours I got the following response from IBM regarding my support ticket (PMR 91606,004,000):

The TNEFEnableConversion=1 parameter was created to extract attachments from a winmail.dat file using the conversion process.  However, this is only used to extract attachments within emails.  This parameter is not intended to extract calendaring information.  The TNEF converter detaches the winmail.dat file, scans it looking for object types that indicate there is file attachment data present, and extracts the data as needed.

According to the RFC standards for SMTP calendaring (icalendar), messages must be formatted in MIME and not MS Rich Text.  As such, this issue is considered a third party bug by our development team because the
MS Rich Text format generates winmail.dat attachments which do not comply with the RFC standards for calendaring.

 At this time, there is no way to address this issue on the Domino side. However, the development is considering in creating an enhancement request not a fix because the issue relies on Exchange/Outlook. The functionality is expected to be in the next release of Domino version 9.0.2.

Meeting invites sent in an HTML or Plain text format work just fine with external applications such as Notes/Domino.

 This sounds promising, now it is just a question how long we have to wait, and if the executives are going to want to wait.



Recover lost SSL keyring password

About two years ago, our Network (as well as Domino) administrator left the company after 10 years. The other day our SSL certificate for one of our websites expired, and we wanted to use a newer wildcard certificate instead of a server specific certificate.
The problem was that we did not have the password for the keyring file (keyfile.kyr) used on the server, either the admin did not document it (which does not sound like him) or the document with the password was lost/we could not find it.

So what to do? We thought about creating a new keyfile and start over, but these days the certificate authorities (like Verisign, Thawte and Go Daddy) use 4096 bit SHA2 certificates as root certificate, which IBM Domino does not support (and don’t plan to support). The recommended solution is to use the IBM HTTP server as a proxy in front of the Domino HTTP server, since that one supports SSH2. So we could not go this way right away (we probably will do it eventually, though), as we just need the SSL certificate up and running on the server right away.

Our administrator came up with a way to get the password for the keyfile, assuming that you have the corresponding .sth file (which we fortunately had). The instructions are below, in case anyone need them in the future.

To recover a Lotus Domino keyring password you need a Lotus Domino server where you have admin access to and the *.sth file which fits the *.kyr file. If you have both you can perform the following steps:
Bring down the HTTP task via:

tell http quit

Open the domino console and enter:

set config DEBUG_SSL_ALL=3

If you now bring back your http task via:

load http

you should see a line similar to:

ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is xxxxxxxxxxx

You now have the password. You can now simply restart the server to remove the temporary notes.ini settings.


End of content

No more pages to load