HCL Notes Crash While Importing PKCS12 Database to the HCL Domino Certificate Manager

While I was working with HCL Domino Certificate Manager (CertMgr), which btw. is awesome, I encountered an issue, that caused HCL Notes to crash.

Namely, the import of a seemingly valid PFX file (PKCS12 database, downloaded directly from the customer’s TLS provider’s site) caused the HCL Notes to crash, after which the certificates and the private key contained in the file, were not imported. I could reproduce the issue with the same PFX file in multiple environments running HCL Domino 12.0.2 FPx, HCL Notes 12.0.2 as well as HCL Notes 14.0.

Upon closer inspection of the PFX file using OpenSSL, I’ve found that the Message Authentication Code (MAC), used to verify and protect the integrity of the PKCS12 database, was missing. This could be observed by issuing the following OpenSSL command:

openssl pkcs12 -in testNoMac.pfx -passin pass:testNoMac -passout pass:testNoMac -info

The output of the command, using OpenSSL version 3.1.2:

Warning: MAC is absent!
PKCS7 Data
Certificate bag
Bag Attributes
localKeyID: 24 FB 6A AF B8 E6 C7 73 F1 F0 71 EF E7 7E 6D 79 14 A7 B4 07
subject=CN = site.server.com
issuer=C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISBCP4MnSnMtntgtWJ9eTtay33MA0GCSqGSIb3DQEBCwUA

Looking into the matter a little bit further, I was able to produce PKCS12 databases using OpenSSL, for testing purposes, without MAC by using the “-nomac” switch, for example:

openssl pkcs12 -export -out testNoMac.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -nomac

Note: I don’t know why you would want to produce a PKCS12 database without MAC, if you know of a valid use case for doing so, please let me know.

Every PKCS12 database I’ve produced with “-nomac” switch would successfully crash HCL Notes. 🙂

As a workaround, I’ve imported the certificates and the private key needed, using the PEM format, which is also accepted by the HCL Domino Certificate Manager.

This issue is currently being inspected and, at the time being, I don’t have the information about which component, on the HCL Notes client, is causing the crash. I hope this saves you some time if you encounter the same issue.

UPDATE: In the meantime, it’s verified that the missing MAC information from the PKCS12 database is causing HCL Notes to crash. This issue has been reported and tracked under the SPR # DNADD46LU5.

Domino Authentication via SAML – All Flavours

For the Engage 2022 event, I prepared a “Domino Authentication via SAML – All Flavours” session, to present it with my colleague Herwig W. Schauer. Alas, the session never got accepted and I never had time to convert it to a whitepaper. As I invested quite a bit of time for preparing the slides, I thought that I should upload it here before it inevitably travels into oblivion. Maybe it will come handy for some of you.

Keep in mind that it was created in 2022 and there are some things I would have to change, for example, the following diagram is not 100% accurate:

Let me know if this topic is still of interest, I could update the presentation and do a webinar or just write a whitepaper…

Milan Matejic – SAML Deck-for-SharingDownload

Basic SAML – Demo

Basic SAML incl. SSO – Demo

Web Federated Login – Demo

Notes Federated Login – Demo

Notes Federated Login – Subsequent Login

HCL Nomad SAML – Initial Configuration

HCL Nomad SAML – Subsequent Login

HCL Traveler – SAML Enabled – New Device

HCL Traveler – SAML Enabled – Encrypted Mail

HCL Connections – How To Deactivate the Welcome Tour

If you don’t see a benefit in the new HCL Connections Welcome Tour feature, it can be easily deactivated by using the HCL Connections App Registry, as documented in the GitHub documentation maintained by HCL.

But as the App Registry is part of the HCL Connections Component Pack, you may not be fortunate enough to have it deployed. If that is the case and you want to disable the HCL Connections Welcome Tour feature, there is a way to do it in “Blue Stack only” environments, although it involves a couple more steps.

This involves adding some json code to the “header.jsp” file, to do this follow the guidelines for customizing the “header.jsp” file, as described in the official documentation.

After you are familiar how you can edit the “header.jsp” file, simply add the following code to it:

         <script>
            window.connectionsExtension = {
               "com.hcl.connections.tours": {
                  "disabled": true         
               }
            }
         </script>

It is also beneficial to add some comments, so you know why you made this change a few weeks later, like this for example:

Hope this helps!

HCL Connections – Issues Customizing the Font List for Tiny Editors 4.9.2.17 Integrations and Newer

Due to some issues in HCL Connections integration layer for TinyEditors, it is currently not possible to customize the font picker in TinyMCE, as described in the official documentation of HCL Connections.

This issue is described in the KB0105102 – Defect Article and it will be fixed in the future releases of the software. Subscribe to the mentioned article to get the information about the problem resolution as soon as it gets available.

HCL Connections Mail Plug-in Deployment – Missing Information in the Documentation

If you are planning to deploy the HCL Connections Mail Plug-in, take note of the KB0092821 knowledge base article. This is a mandatory step that must be done in HCL Connections 8 CR1 and newer environments.

If the steps described in KB0092821 article are not followed, you will get the following error message in the browser console:

Error: Unable to load https://<mailserver_hostname&gt; status: 403

We are working on adding this step to the official documentation of HCL Connections Mail Plug-in.

HCL Notes – Swiftfile Not Working as Expected

When using the “preview pane” in HCL Notes, and clicking on a folder, suggested by SwiftFile, the “move to folder” dialogue would sometimes come up. This was happening to my client, in about 1 of 20 cases

Screenshot of the issue described above.

I tried numerous things to resolve this issue, but in the end, the only thing that helped was rebuilding the Swiftfile index, which can be done in your HCL Notes “Preferences” menu (open your mail database and navigate to “More –> Preferences –> Mail –> Swiftfile –> Rebuild index )” as displayed in the screenshots bellow:

After rebuilding the index, the issue hasn’t occured again and HCL Notes Swiftfile was working as expected.

HCL Connections 8 – PDF Export Issues After Installing CNX in a Clustered WAS Environment

Recently I encountered an issue with PDF Export, right after the installation of HCL Connections applications in a multi-node, clustered, IBM WebSphere Application Server environment. This problem only occurs in a multi-node WAS environment.

In the HCL Connections GUI, in the “PDF Export Access” settings of the”Edit Community” menu (Community –> Community Actions –> Edit Community –> PDF Export Access), the following error was displayed:

Error 500: org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.NoClassDefFoundError: com/ibm/ess/ic/ic360/security/tai/Ic360ImpersonateUserTAI

At the same time, the following error is logged in the WAS application server logs, where the IC360 application is running:

ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0014E: Uncaught service() exception root cause ic360: org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.NoClassDefFoundError: com/ibm/ess/ic/ic360/security/tai/Ic360ImpersonateUserTAI

The cause for the problem were the missing java virtual machine properties, which were only set on one of the IC360 WAS applications servers. In my case, as I was installing HCL Connections using “large deployment” topology, the java virtual machine properties were only set for “IC350Cluster_server2”. Those settings can be found under “Application servers –> IC360Cluster_server2 –> Process definition –> Java Virtual Machine –> Custom properties”, as shown in the screenshot below:

On the other hand, these crucial settings were missing on the other IBM WebSphere Application Cluster member, as can be seen in the screenshot below:

To resolve the problem, make sure that the same JVM “Custom properties” are set across all WAS application servers hosting the IC360 Application. In my case I had to set the same settings for “IC360Cluster_server1” application server as they were set by the installer for “IC360Cluster_server2”, as displayed in the screenshot below:

After that, make sure that all IBM WebSphere nodes are synchronized and restart the IC360 WebSphere Application Server cluster.

The steps to resolve this issue are also documented in the KB0085725 article.

I hope this helps!

HCL Domino TOTP/2FA – Implementation, Best Practices and Pitfalls – Webinar

My colleague Martin Leyrer and I will be hosting a webinar “HCL Domino TOTP/2FA – Implementation, Best Practices and Pitfalls”. The session will start on September the 15th, at 4 PM CEST. So, if you are interested in TOTP/2FA Implementation using HCL Domino natively, make sure to register and join our Webinar:

Registration Form

We will be delighted to have your presence!

HCL Domino – Contact Sync Issues

Recently, we came across some issues with contact synchronization between mobile devices using HCL Traveler, mail databases of HCL Notes users, and address books of the HCL Notes Roaming users.

To be exact, these are two separate problems which are described in the following Knowledge Base articles:

KB0099431

KB0097255

You might have the issues mentioned in the KB articles above, but haven’t noticed them yet, as the HCL Notes and HCL Traveler users will only have problems with synchronizing certain contacts “across the board”, namely those which are created on HCL Traveler devices. The issue will become more apparent with the users having more than one mobile device activated on HCL Traveler, as the contacts created on one of the devices will not sync to the other and vice versa.

There is a workaround for both issues, as stated in the KB articles mentioned above, which is to add the “AccessContacts” role to the owner of the mail database as well as to the roaming address book database, assuming the same user is also a roaming user. You can either do this manually or via LotusScript code provided by Domino Development, which you can find in the following Knowledge Base article:

KB0099761

Many thanks to the HCL Traveler team for confirming the issue and developing the workaround so quickly, as well as to the HCL Domino Development team for writing the code to implement the workaround.

New Fixes for HCL Notes 12.0.1 German Template

As of yesterday, a new version of HCL Notes 12.0.1 German mail template is available, which incorporates the fixes for the following SPRs:

SPR  # PDARCBQ86U >>  DOMI: MSTeams meeting is not getting updated with new URL when user opens the accepted reschedule invite

SPR  # PDARCC68MC >>  DOMI: Reschedule meeting notice displays the old url for MSTeams meeting when chair accepts the counter

You can find the new version of the HCL Notes 12.0.1 German mail template in the KB0097354 article.

Hope this helps! 🙂