We ran out of time during our April webinar for the Q&A session, so this blog presents all of the questions and answers for you. Again we thank Heather, Roberto, Serdar and John for providing more detail on this interesting topic, and a big thanks to Daniel Nashed for helping with some of these answers too.
Before the Q&A however, we have some additional goodies for you. Heather and Roberto have put together a blog on some details they didn't get to in the slides.
Q |
Is it easy to scrap then rebuild an ID vault in Domino? |
A |
The best practices approach is to build an ID Vault as soon as you create a server and make a replica of the resulting ID Vault database. Having said that, Yes, you can scrap an ID Vault and then go through the process of creating a new one. |
Q |
I can’t find the password to my ID Vault. How much trouble am I in? |
A |
Definitely you are in trouble. The only option is to create a new Vault. |
Q |
Personally I think it's good practice to use OU's to separate servers and signer IDs from the User IDs. /SRV/ACME, /QA/ACME, /USR/ACME.
Context: The purpose of the comment during the webinar was with regards to keeping the architecture simple.
|
A |
O and OU organization is definitely subjective. The purpose of the comment during the webinar with regards to keeping the architecture simple, which would be ideal for a small deployment. However, for a large deployment in a company that is federated, OUs may indeed lend themselves for allowing secure distributed administration and end user categorization. Overall, just like server platforms, there really is not a best practice here.
Also a best practice is to make a backup of all cert IDs along with the passwords. Your future self will thank you. |
Q |
Is the notes client able to connect to a domino server created on an openshift container that has the port 1352 exposed in a reverse proxy way ? I know it is complicated, but I'm just asking if it is possible. |
A |
We went straight to Daniel for the answer on this one. Today there is no supported solution available. HCL is aware of the need however, hearing this request from Business Partners already. |
Q |
We want to move all on premise servers into the cloud, on openshift, containers, using the Daniel Nashed script. We somehow don't want to recreate the environment from scratch is there a best practice to this kind of migration? |
A |
Another question that we went to Daniel to ask. His response: This is really difficult to answer. It is less about a Domino migration and more about learning the best way to implement and use OpenShift. Once you have OpenShift configured correctly, this is a normal Domino migration. But the key challenge is to get the right OpenShift configuration. |
Q |
What tool do you use to analyze NSDs and crashes? |
A |
Generally Admins will use their eyes and experience. The key things in an NSD are to find the PID and TID that crashed and the call stack of the PID and TID. John mentioned encouraging people to use the Fault Analyzer Task and setting up your environment for fault data collection as Heather had mentioned, so that you can identify patterns that lead to crashes if you are experiencing a high number of outages. |
Q |
Do you recommend different a Notes network port for cluster traffic? |
A |
Yes :) It will depend on your environment and available resources of course, but ideally, Yes. |
Q |
How about HCL SafeLInx as front end for Traveler Server? |
A |
Absolutely. HCL SafeLinx can manage and redirect incoming requests from Traveler clients to Traveler servers. |
Q |
Is LE4D going to be part of Domino v12? |
A |
No, but the new CertMgr application will have the same features and much more. LE4D works only with the LetsEncrypt Ca, while the new app will work with any CA. |
Q |
For 443, how do we let Java agents know, where are the certificate files? .kyr, .sth files |
A |
If the question is about connecting to HTTPS targets when the remote certificate is untrusted, this is documented here: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0035853 |
Q |
Serdar, your thoughts on using Basic Authentication for REST services (naturally on HTTPS)? |
A |
Basic Authentication has inherent security flaws in various scenarios. For example, it’s easily decoded once intercepted, it has a large attack window as it’s transmitted for every request, etc. HTTPS will definitely help but still there are reasons to be uncomfortable with it. In some cases, it would be acceptable with reasonable precautions. Such as a securely containerized consumer in a closed network would provide a more secure architecture. In less controlled environments it’s still possible to implement cookie-based session-authentication for RESTful consumers. The only problem is, it has some non-standard behaviours. Eventually, OAuth2 support would be ideal for the future. |
Q |
The value of 'redirectTo' in the post could be validated or rewriten? |
A |
I have seen pen test issues related to RedirectTo parameter. In certain cases this parameter might be considered as a security vulnerability. I created an idea (https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-273) about this a while ago. There is also another notes.ini param “DominoValidateRedirectTo=1”. Refer to this technote: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0037962
|
Q |
If a java agent on the web gets "Out of Backend Memory" error - which size needs to be increased? It occurs when JVM Heap Space indicates ample memory still available. |
A |
When a java agent is called through Web, it’s run by the HTTP task. So HTTPJVMMaxHeapSize is the setting to adjust. |
Q |
java.pol should be used for Domno Volt, I suppose. Rather than modify java.policy |
A |
After v11, HCL Domino does not use the java.pol file anymore. Instead, you need to use “$user.home/.java.policy” file. Please refer to the relevant technote: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085173. |
Q |
We have never implemented ID Vault, what is a good document that helps explain everything and has detailed steps of the process to implement? I am the only admin so want to make sure I don't mess it up. |
A |
The documentation explains in details how an ID Vault works and all the steps needed to set it up, start from here https://help.hcltechsw.com/domino/11.0.1/admin/conf_notesidvault_c.html |
Q |
There used to be a notes.ini analyser at http://www.lntoolbox.com/en/online-tools/notes-ini-analyzer.html did anyone use this and is it still alive ? |
A |
That website seems to be not active anymore |
Q |
What is the best current resource for notes.ini settings? I recently ran into a setting that caused a problem on the server and I eventually found out that the setting had been deprecated and replaced by a new setting in the NSF. |
A |
The HCL Notes and Domino documentation available on the HCL website should be considered reliable. For example, the following page is for notes.ini parameters related to Traveler 11. https://help.hcltechsw.com/traveler/11.0.0/List_of_Notes_ini_settings.html. And this one is for notes.ini parameters that may be set in the Domino Configuration document https://help.hcltechsw.com/domino/11.0.0/conf_notesinisettings_c.html
|