Engage 2020 conference is coming. The agenda is out.

Engage.ug is coming. This year’s Engage Conference, which will be held in Arnhem, The Netherlands, is starting almost in a month (on March 3 and 4).

The main organizer Theo Heselmans is able to surprise every year the environment where the conference takes place. Even this time, it will certainly be an amazing experience at Burgers’ Zoo.

The agenda was published today. It will be over 80 sessions and if I count well, 38 of my colleagues HCL Master and HCL Grandmaster will introduce themselves. Awesome!

I am looking forward to all sessions and I will try to bring information on my blog and Twitter.

Those who haven’t registered yet have a chance LINK
Look at the agenda LINK

See you in Arnhem!


HCL Verse On-Premises 1.0.9 offers a new calendar event form design. How to enable it? Caution of the issue.

Verse On-Premises 1.0.9 offers a new calendar event form design. This provides an improved environment for creating and managing calendar events.

The new form opens quickly and is smaller and streamlined. Controls allow users to show just the options that they want to use. This is a preview feature that is off by default. To make this feature available to users, you must add new parameters to the notes.ini Domino server.

While testing this new “feature”, I found the issue that HCL Development will fix in future releases. More on point 2.

There are two options – two parameters:

  1. To enable the new event form for all users and prevent them from disabling it, add : VOP_GK_FEATURE_168=1
  2. To keep the new event form off by default but allow users to enable it, add: VOP_PREVIEW_REACT_EVENT_FORM=1
    Then, to enable the feature, users select the option New Calendar Event Form in Feature Preview section of Mail and Calendar Settings

If you use this setting (point 2) and the user selects a new form, the form will then appear completely blank when in use. HCL Development is implementing a fix for this issue. The fix will be included in a future release of VOP. For now you to use the workaround which has been described in point 1.


HCL Domino V11 – Authenticating web users against the Notes ID passwords in the ID vault

Starting with Domino V11, you can configure Domino to use an ID vault password to authenticate web users accessing the server.

If enabled uses the Domino server to authenticate users to HCL Verse, HCL iNotes with their Notes ID and passwords stored in IDVault. With this feature, users only can to remember their password in the file ID.

This feature is ignored for authentication of the following users:

  • Notes client users
  • Web-only users without Notes IDs
  • Users who authenticate via SAML federated identity authentication

How to configure?

  • Create or edit a Configuration document in the Domino directory. (Configuration – Servers – Configurations)
  • Open the Security tab
  • In the Internet Password Verification section, select one of the following options

If some web users with registered Notes IDs do not have IDs in the vault or if you are unsure if they do, use “Check vault first, then directory“. If Notes IDs are not found in the vault, Domino will use internet passwords in Domino directory Person documents to authenticate the users.


HCL Sametime V11 Proxy Server – exchange self certificate for qualified SSL certificate

To use Sametime V11 access from mobile devices or chat using a web browser, you need to install and configure the Sametime Proxy Server. Sametime since version 11 uses a proxy server based on Apache Tomcat. This reduced hardware requirements and simplified installation.

The document “ST11_Installation_and_Administration.pdf”, which can be downloaded together with the installation files located on Flexnet, describes the basic installation and configuration. The Sametime Proxy Server installation section describes how to automatically create a new selfcert for SSL without any configuration changes. If you use selfcert, it is possible that some web browsers or mobile devices may have problems with this certificate, you will have to create exceptions, rules and so on.
I had this problem with my installation of Sametime V11 and so we started looking for how to replace the selfcert with a qualified certificate from a Certificate Authority (in my case I chose RapidSSL from GeoTrust).

The solution is not complicated and although I am not an expert on Tomcat, I managed it quite easily. Maybe also thanks to my previous experience, as Domino Admin I used SSL certificates for Domino using OpenSSL.

How to do it?

Suppose we already have Sametime Community Server V11 installed and install Sametime Proxy Server V11 in “c:\ sametimeproxy” (as described in the instructions document). We will need the “keytool” tool, which is in “C: \ sametimeproxy \ jdk8u222-b10-jre \ bin

  1. Run a command prompt and open the folder C: \ sametimeproxy \ jdk8u222-b10-jre \ bin
  2. Now we will create a new Certificate Keystore using “keytool”, where we will then import the necessary certificates. We name the new keystore “st.keystore”. Create it C: \ sametimeproxy \ cfg.So we use the command:

“keytool -genkey -alias tomcat -keyalg RSA -keystore C:\sametimeproxy\conf\st.keystore”

– create a new password for the keystore. Tomcat default uses “changeit”
– we will confirm the password again
– fill in basic information about keystore. In “First and Last name” I used FQDN of Sametime server “sametime.company.com” and gradually filled in further data (Company, City, Country and so on).
– we created a new keystore

  1. Now we create a new a local Certificate Signing Request (CSR). In order to obtain a Certificate from the Certificate Authority of your choice you have to create a so called Certificate Signing Request (CSR).

    That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as “secure”.

    The CSR is then created with:

“keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore C:\sametimeproxy\conf\st.keystore”

– Now you have a file called certreq.csr that you can submit to the Certificate Authority. In return you get a Certificate.

  1. The certificate must be installed to the keystore where the CSR was created.
    – Prepare a certificate file and both Intermediate certificates. Import Primary Intermediate:

“keytool -import -alias primary -trustcacerts -file D: \ cert \ PrimaryIntermediate.pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Import Secondary Intermediate:

“keytool -import -alias secondary -trustcacerts -file D: \ cert \ SecondaryIntermediat .pem -keystore C: \ sametimeproxy \ conf \ st.keystore”

– Then import the SSL certificate:

“keytool -import -alias tomcat -trustcacerts -file D: \ cert \ certificate.txt -keystore C: \ sametimeproxy \ conf \ st.keystore”

  1. Now you need to configure the SSL Connector. Open the server.xml file located in the “c:\ conf” folder. In the configuration, find the connector that should work for the new keystore and uncomment it if necessary.
    In the connector configuration, specify the correct file location and passphrase. The correct configuration looks like this:

< Connector protocol=”org.apache.coyote.http11.Http11NioProtocol” port=”8443″ maxThreads=”200″ scheme=”https” secure=”true” SSLEnabled=”true” keystoreFile=”conf/st.keystore” keystorePass=”changeit” clientAuth=”false” sslProtocol=”TLS”/ >

  1. Now restart the Sametime proxy server and your web browser should already see the imported certificate.


What's new in the final release – Domino server V11

I continue with the previous article about news in final release, where I summarized news in Notes client and iNotes V11. However, most features require a Domino V11 server. Here is a summary of news for the Domino server.

Domino V11

  • New Domino licensing model
    (Active license management is not available for production use licenses at this time. Therefore, configuring a FlexNet license server for Domino 11.0.0 is not required. Details of when HCL will enable active license management will be announced.)
  • Product rebranding
    (References to IBMhave been rebranded to HCL for the Notes and Domino product family. Strings with IBM that were visible in normal use of the product are changed to HCL.
    Occurrences of IBM in the following locations are changed to HCL:
    – Logos and copyright information
    – Error messages
    – Dialog boxes
    – Templates and databases that ship with Domino and Notes 11
    – Registry path in Windows™ platform

    Not all IBM strings are replaced. The following occurrences of IBM strings remain and have not been changed:
    – The following directories or paths that if changed could require customers to alter their applications: IBM_TECHNICAL_SUPPORT, IBM_ID_VAULT, IBM_Credstore, IBMDomino.sym, ibmditar.css, C:\Program Files\IBM\Domino\data\domino\js\dojo-1.5.4\ibm
    – notes.ini configuration parameters that contain IBM strings
    – Proprietary IBM strings such as IBM operating systems, servers, compilers.
    – LDAP attributes
    – COM objects with IBM as the namespace
  • New InstallAnywhere platform for Domino
    (Flexera InstallAnywhere 2018 is the underlying install platform used as of HCL Domino 11. InstallAnywhere offers the following install modes:
    – Graphic User Interface (GUI) mode, available only on Windows
    – Console mode, available only on AIX and Linux
    – Silent install mode, available on all platforms
  • Directory Sync
    (Directory Sync allows you to sync people and group data from an external LDAP directory into the Domino directory. Currently data from Active Directory can be synced. )
  • DAOS tier2 storage
    (Domino Attachment Object Service (DAOS) tier 2 storage enables you to use an S3-compatible storage service to store older attachment objects that haven’t been accessed within a specified number of days. This feature allows you to reduce the amount of data stored on Domino servers that use DAOS. It can also improve the performance of any incremental file backups done for DAOS. An S3-compatible storage service uses the Amazon Web Services (AWS) Simple Storage Service (S3) API)
  • New Java Runtime Environment
    (The Java Runtime Environment (JRE) that comes with HCL Domino® 11 and HCL Domino Designer 11 is now Eclipse OpenJ9 that is provided through AdoptOpenJDK.
    The JRE component versions are:
    – openjdk version “1.8.0_222”
    – OpenJDK Runtime Environment (build 1.8.0_222-b10)
    – Eclipse OpenJ9 VM
  • IBM GSKit cryptographic libraries replaced with the OpenSSL equivalents
    (On all HCL Notes and Domino® platforms, OpenSSL 1.1.1a cryptographic libraries replace the IBM GSKit libraries provided in earlier releases)
  • Limiting ID file downloads from the ID vault is disabled for SAML federated login
    (When SAML Notes federated login or SAML Web federated login is the authentication method used to extract HCL Notes ID files from the ID vault, the value for the ID Vault policy setting Allow automatic ID downloads is now ignored. (This setting is in the ID vault tab of a Security Settings policy document).
    The setting is ignored because SAML authentication requires unrestricted download access to ID files from the vault.
  • Authenticating web users against the Notes ID passwords in the ID vault
    (You can configure HCL Domino® to use the password in an ID vault to authenticate web users that access the server)

What's new in the final release – Notes, iNotes V11

During 2019 I described in some articles what should appear in V11. Now that the final release has been published I can summarize all the major news. To what extent it differs from previous announcements you can judge for yourself.


New modern look:

  • Inbox action bar
    (There are fewer icons above the inbox on the action bar. Further options can be viewed when you select and hover over an email)
  • Side navigator menu
    (Less-used items such as Junk and Trash are collapsed by default. Click Show More to display these options and Show Less to hide them again)
  • Client status notifications
    (Click the bell icon on the bottom action bar to view the client status messages)
  • Missed alarms
    (Click the bell icon on the bottom action bar to view Missed Alarms, which are notifications for calendar events missed while the client was not running)
  • New calendar form
    (Calendar events in a simplified form)
  • New contact form
    (new contacts in a simplified form)
  • New HCL Notes 11 theme
    (HCL Notes has a new theme for Mail, Calendar, Contacts, and Notebook)

Feature enhancements:

  • Language spell check
    (You can now spell check any language that your HCL Notes client supports within an email or document)
  • Export to PDF
    (You can now export emails and documents to PDF from the HCL Notes client.Windows machines require a PDF printer to support PDF exports)
  • 24+ hour meeting support
    (Meetings that are longer than 24 hours are now supported by the HCL Notes Calendar. This feature requires a Notes 11 version mail template)
  • Three click support
    (Three click support adds a level of security when a user opens an attachment within an email)
  • Network resiliency improvements
    (When there is no network connection (when the cable is unplugged or the wireless is unavailable), the Notes client responds with an error message)
  • Synched release schedule
    (Starting with release V11, Sametime and Notes follow the same release schedule)
  • TLS 1.2 support for SAML
    (Notes and Embedded Sametime now support TLS 1.2 with Notes Federated login (SAML)
  • Mac 64-bit uninstaller
    (The uninstaller provided for Notes 11 on Mac is now 64-bit. This change is made because Apple will no longer support a 32-bit uninstaller as of its upcoming Mac OS 10.15 (Catalina) release)
  • Moving folders prompt
    (Users are now prompted to confirm when a mail folder is moved)


  • 24+ hour meeting support
    (This feature requires a Notes 11 version mail template)