A New Base - A New Hope - A New Beginning. Factory Tours Episode 2

This week I spent time in Milan at HCL’s 2nd factory tour at their offices.   It was an intense couple of days, with presentations from the development teams working on Domino, Notes, Nomad, Sametime, DQL, etc, as well as HCL executives working on building the support program, the partner program, and HCL’s client advocacy program.

After several great discussions with people from HCL and IBM all I can say is that things are moving F-A-S-T and thank you in particular to Richard Jefts, Russ Holden, John Curtis, Tony Blake, Pat Galvin and Francois Nasser for listening to my ideas even if they end up being unworkable.

Note there was no discussion of Connections at all as that deal with IBM is not finalised and HCL aren’t in a position to discuss it. HCL are targeting April 1st for the deal and early June for everything to be transitioned over, with the v11 beta this summer and the v11 launch around end of Q4.

Here are some highlights that I noted from the conversations and sessions that I want to share here.  I apologise if I have incorrectly noted what I heard.

Domino (presented by Russ Holden) - v11 Features 

  • Directory Sync from Active Directory to Domino Directory. Renames made in AD will trigger a Domino rename.  Attempting to get rid of or at least minimise the HTTP password field and make AD authoritative.  We had discussions about whether attributes in AD should/could be written to by Domino or if AD was to be the single authoritative and management source.
  • HTTP password authentication via ID Vault instead of person document, including the ability to keep the Notes password and HTTP password in the vault in sync.*Those of us who work with Traveler know the risk of changing the HTTP password until we get client certificate authentication in Traveler, and we shared that with Russ as well.
  • DAOS will still exist but in v11 there will also be Cloud Object Storage where a single instance of an attachment per note ID will be stored in Amazon’s S3 cloud by default but with the option for extensions to other servers.The concept is that it would potentially save on both on premises storage costs and backup requirements for the attachment store.  It’s not intended to be a space saving offering over DAOS as although there will be one instance of an attachment regardless of cluster replicas, that instance is based on the note id of the document.  That means whereas with DAOS an email sent to 40 people will generate only a single NLO on each cluster server, with this model there would be 40 attachments all accessible by any server in the cluster.  How appropriate this will be as a solution will be dependent on your storage and backup requirements as well as your typical mail usage.
  • A new PubSub feature that will allow applications to subscribe for updates that Domino will publish rather than poll for them.  Traveler is a good example, currently Traveler scans each user’s mail file on a polled interval to see if there are updates and if there are it then grabs them to send to your device. Polling databases asking for “anything new to tell me” is a lot of unnecessary overhead when the alternative is Domino publishing updates each time there is activity (note adds, deletes, folder adds etc).  The ability to subscribe to specific databases you want immediate activity on and for Domino to publish that activity to you as it happens obviously has a huge scope beyond performance outside of Domino as well.Which leads us to…
  • Using ElasticSearch for searching which will utilise the PubSub functionality in order to get immediate updates to process.  ElasticSearch will be configurable on a database-by-database basis including the option to have it take the place of Domino FT search.  One of my issues with ElasticSearch is its security model and they are also working on an API to address that so that we get security parity with the current FT search model.
  • Message recall for undelivered (scheduled or queued) mail.

The Clients (presented by Andrew Davis, Maxx Sutton, Barry Rosen)

The focus for v11 is very much around the client delivery and UI.

There is a new UI under development for Notes and some of its key templates that modernises it and brings it more in line with the UI design of Verse.  These are early stages but they will be part of the v11 ship.  Verse continues to be extended with very welcome upcoming support for mobile browsers and a goal to have parity with iNotes by the end of this year.

HCL Nomad, currently on public beta for iPad (yes, they know we want it SHIPPED) was demoed for Android and ChromeOS at Think and to us this week.  iPhone is also on the way.  To develop for Android HCL used OpenGL and that code can also be compiled as WebGL which, using WebAssembly, will enable Nomad to run in most browsers with the same fidelity and behaviour as on the mobile devices.

I’m not saying that would give us a lightweight client but it would totally give us a lightweight client that could be used in something like HCL Places for instance.

Sametime (presented by Pat Galvin)

Sametime 10 Limited Use, that now includes mobile entitlement, is on track to be delivered in the first half of this year.  The persistent chat feature that allows chats to be routed to multiple devices you are logged into will, in the first instance, require MongoDB with Domino coming “later”.  I have a big problem with this.  Neither me nor my customers want to bring the overhead of MongoDB into a Domino site just for this single feature regardless of how welcome that feature is.  I hope HCL prioritise “later” as “soonest” to be honest otherwise I suspect we’ll be deploying v10 of Sametime initially without its biggest feature.

Platforms will be Windows initially then Linux.  All 64bit.

Sametime will be released lock step with Domino, so at the end of this year Domino 11 will support the product released as Sametime 11.  Targeted for release with v11 is Docker deployment and support for integration with Zoom, Webex, etc. Stretch goals for v11 include getting rid of the Sametime System Console and the ability to invite external guests into chats.

In addition, they are looking to deliver chat enhancements in v11 such as read status on messages, @mentions, and multi-device file transfer so you can select which device a received file is downloaded to as well as choosing which device to answer an audio / video call on if you are logged into multiple devices.

Finally for meetings I’m delighted to hear that they are working to remove the accursed browser plugins for audio and video from v11.

Sametime 12+ includes targets that are stretch goals on v11 and additional targets such as removing WebSphere and DB2.

DQL (Presented by John Curtis)

The 1.0.1 Appdev pack which contains all the functionality you need to deploy DQL from Node is out this quarter.  The plan is to have quarterly updates to the Appdev pack introducing new features.  Some things planned for future updates include:

OAuth authentication.  This is a huge deal and has to be done right.  DQL only works as a solution if we can maintain the same security model that Domino gives us and OAuth has the ability to give us that.   Currently the OAuth implementation in the Appdev pack is application level, meaning one identity shared by anyone using that application which means no reader fields of custom user security.

They are working to support on-the-fly computation of formulas to support things like computed for display fields.

For searching there will be support for both FT Search and the new ElasticSearch with indexes created across databases and in attachments where required.  Searching rich text and mime is also on the agenda.

These are just some of my highlights.  There was a lot more and if you want to get involved I highly recommend registering for Engage UG in Brussels this May (14/15) https://engage.ug.  It’s a free user group event and HCL will be there in force with a lot more to show, hopefully on the heels of some beta content.

If you want to add your own enhancement requests and suggestions definitely to go the aha! site and add them there.  Everyone who spoke said they monitored that site and many of the features that are coming are based on posts there.

https://domino.ideas.aha.io/

HCL Client Advocacy - (presented by John Immerman)

If you are a customer or a business partner please sign up for the Client Advocacy Program @ HCL.  John Paganetti and his team will connect you with a developer advocate who will work with you to make sure your requests are heard, your PMRs don’t stall, and your ideas are taken seriously.  Much of what they do is learning about how you use the tools and what your pain points and wishes are.  This speaks to the core of who HCL are and I can’t think of any other company who would commit skilled expert resources to these kind of relationships.  If you want to be heard go register here. There are 200 companies registered already with hundreds more requested and being personally contacted.  Nothing about this is automated so don’t pass up the opportunity.

https://www.cwpcollaboration.com

Support - (presented by Michael Fiorentino)

The support model is still transitioning over from IBM including hundreds of thousands of technotes and HCL are moving away from the Salesforce support interface that IBM use to a simpler more streamlined one.  The big question I wanted to ask was whether HCL would do away with the login requirement to read technotes or get patches.  Currently IBM require you to be a customer with a support license to be able to read technotes and find out what may be wrong.  I’ve always thought that’s crazy and I know it frustrates customers and partners alike.  Both Richard Jefts and Michael Fiorentino confirmed that is not how they plan to run things and that’s a great start.

Michael also wanted to understand the business partner requirements so he could structure things to make it easier for us to open calls at the right level of expertise and to do so on behalf of our customers in an easier way.  Michael has a frankly astonishing amount of work ahead of him to get the support structure right, but he was very open to all our ideas and comments and I honestly believe they are committed to doing this right and not “business as usual”.

I heard from more people there of really good IBM’ers who are moving to HCL. I don’t want to name them here as that’s their business but I’m delighted they are joining.

Let’s all work together and do great things.

 

 

Domino 11 Jam Coming To London

The Domino jams continue, now onto Domino 11 and with a date of January 15th in London. No location yet but I’d be very surprised if it’s not IBM South Bank.

I attended a couple of jams last year and I can confirm many of the comments made and items requested ended up in the v10 products and several have already been prioritised into v11.  If you are interested in the future of the collaboration products and especially Domino then you will want to contribute ideas to the jam so email Brendan McGuire (MCGUIREB@uk.ibm.com) and ask to attend.

We all hope to be there investing in the future or products we believe in.  Hope to see you there as well.

If you are interested in locations other than London check out this URL  where there are already locations and some dates announced.

#dominoforever

DMARC, GDPR & Social Connections

Last week I was at Social Connections in Philadelphia.  The Social Connections team once again put on a great conference around IBM social software and extended this time to include security content.  I presented two sessions - one around security and specifically SMTP DMARC deployment which I am increasingly being asked to deploy..  My second session was about how to approach GDPR as the regulations come into force in less than 1 month. I tried in this session to speak to a US audience who may not be aware in what ways GDPR will impact their business.

Both sessions are shareed below and I hope you find them of interest /use

An Introduction To The DMARC SMTP Validation Requirements
DMARC is a SMTP security standard being increasingly requested by customers to protect against email spoofing. It uses a combination of SPF (Sender Policy Framework) records and DKIM (DomainKeys Identified Mail). Using DMARC you would publicly specify how your outbound mail is sent and the receiving server would verify that the mail it receives matches your requirements. In this session we’ll discuss DMARC deployments and what to do if your mail server (like IBM Domino or SmartCloud) does not yet support DKIM?

How To Approach GDPR Preparation & Discovery
In this session, presented as a workshop outline, we will walk you through your GDPR responsibilities and how to assess your risk. We’ll give some recommendations on high priority but easy to fix issues and how to discover, secure and take ownership of existing data. At the end of the session we will share the workshop outline to help with your own planning.

Champions Expertise - Security

The topic for this month’s Champions Expertise presentations is “Security” so I thought it would be a nice idea to share a few highlights from the presentation I will be giving at Think 2018 in Las Vegas in a few weeks on that subject.  This is “A Guide To Single Sign-On for IBM Collaboration Solutions” and hopefully even this shortened version (6 minutes instead of 40) is of interest.

Of course I also hope to see you at my presentation on Monday 19th March (Mandalay Bay South, Level 2 - Surf B).

 

Creating SHA-2 4096 SSL Certificates for Domino

I’ve been doing a lot of work recently re-creating SSL certificates for customers who have SHA-1 or who want stronger certificates, mostly because so many sites are now failing validation in standard browsers because of SHA-1.  IBM have published several pieces of documentation on how to do this but I wanted to share my bullet list on the quickest and simplest way I have found .  It’s not hard there are just lots of new steps.

Firstly you need to know that SHA-2 support only really started with 9.0.1 FP3.  That means the Domino Admin client you are going to use to do this work must be at that level (yes there are hotfixes for FP2 but go with the latest Fix Pack on your client).

You also need to know that NO Domino 8.5x server will be able to use the keyfile you create, it simply doesn’t have the cryptographic understanding to decode SHA-2.

Finally if you use the CA process to generate internet certificates you will need to upgrade the server running that process to 9.0.1 FP3 too.

Oh and you’re also not going to be using the Domino Server Certificate database to do this at all.

  1. Download 9.0.1 and FP3 for Domino Administrator and upgrade your client. Fix pack 3 is in Fix Central and 9.0.1 is on the IBM download site (CIQ91EN)
  2. Download the latest “lite” version of OpenSSL from here and install it on your Windows machine where you have Domino Administrator running.  I installed it in c:\openssl for example
  3. Download the kyrtool from here and copy the executable to your Notes program directory
  4. Set the environment variable for OpenSSL by typing in a command prompt
    Set OpenSSL_Conf=c:\openssl\bin\openssl.cfg (or whatever your path is)
  5. Now we create our keypair using OpenSSL.  From C:\OpenSSL\bin directory type
    “openssl genrsa -out server.key 4096”
    obviously you can use any name if you don’t want to use server.key and you don’t have to create a 4096 strength keypair.  When finished you should have a file in that directory called server.key
  6. Now you have your keypair you need to create a CSR to send to the certificate authority
    openssl req -new -sha256 -key server.key -out server.csr
    the server.key name must match what you created in step 5 so if you used a different name there you need to use that name here. Similarly your server.csr filename can be anything you like.  When you enter this command be prepared to answer all the questions about the certificate you want generated including the common name etc.  The CSR this generates will be uploaded to your CA (Verisign, GoDaddy, Thawte, whoever) and your SSL certificate created based on the answers you give to those questions.
  7. Now we need to create a keyring file ready to add to certificate into when the CA sends it back.  Go to your Notes program directory and run the kyrtool
    kyrtool  create -k c:\notes\data\keyring.kyr -p <passwordyouwanttouse>
    again the keyring.kyr file can be called anything you like.  Once run you should have both a keyring.kyr and keyring.sth files in your data directory
  8. By now your CA should have sent you your certificate as well as some trusted and intermediate root certificates for their issuer.  We are going to create a single text file that contains the server.key we generated in step 5, the SSL certificate the CA just sent us (usually a .crt or .pem file) and any intermediate or root certificates the CA needs us to use.  Doing this is very simple.  Go to your c:\openssl\bin directory (the one where your server.key file was created) and enter
    type server.key server.crt intermediate.crt root.crt >server.txt
    note all the filenames will be specific to whatever you were sent by your CA.  If you were sent a single bundle then you would use server.key bundlename.crt for instance
  9. To verify your server.txt is created successfully your can validate it using the kyrtool.  Go back to your c:\notes program directory and type
    kyrtool verify <path to server.txt>
  10. Now we import our server.txt will all the certificates into our newly created keyring file we created in step 7
    kyrtool import all -k c:\notes\data\keyring.kyr -i c:\openssl\bin\server.txt
    again your filenames and paths may vary depending on what you chose

And that’s it.  You now have a keyring (kyr) file and stashed password file (sth) you can copy to you Domino 9.x servers and use.  If you want to validate the keys are correctly in the file then you can again use the kyrtool

kyrtool show keys -k c:\notes\data\keyring.kyr  AND

kyrtool show certs -k c:\notes\data\keyring.kyr

IBM’s documentation on the process and the supported platforms is here and here