Two days ago the IBM/HCL released a new Fix Pack for IBM Domino and Notes 10.0.1, the Fix Pack 2. Take a look at the IBM Domino 10.0.1 FP2 Release Notes.
The Fix Pack is available for Download from the Fix Central:
IBM Domino 10.0.1 Fix Pack 2
IBM Notes 10.0.1 Fix Pack 2
If you are interested in running Domino on Docker, take a look at the Daniel Nashed´s Blog for the updated scripts.
IBM Notes and Domino G1 Language Pack was released yesterday, part numbers are listed below.
Take note that the FP1 is not included, so you should install it right away after installing the slipstream version. And if you had the first “troubled” version of the client installed, you should uninstall the original slipstream release completely before installing the FP1 Update to ensure compatibility with FP1, as described in the official article.
IBM Notes Client 10.0.1 Multilingual User Interface
IBM Notes 10.0.1 for Mac
IBM Notes 10.0.1 for Windows
IBM Notes Designer & Admin for Windows
IBM XWork Server
IBM i
IBM Notes and Domino 10.0.1 Fix Pack 1 is available for Download. There are no new Features in this release, just bug fixes, for more details take a look into the official Release Notice.
IBM Notes 10.0.1 Fix Pack 1 Download
IBM Domino 10.0.1 Fix Pack 1 Download
We also got a new Version of AppDev Pack and Verse 1.0.7 last week, take a look at the official Blog Post.
If you are asking yourself, what is the equivalent of the Notes 10.0.1 Client, from a security und patch standpoint, in 9.0.1 release, that would be the 9.0.1 FP10 IF6 version including the latest JVM Update, 1.8 SR5FP21, released in October.
JVM Version used in IBM Notes 10.0.1 Client Version.
Recently we got contacted by a growing number of customers regarding the change of the SSL Certificate on the ADFS Server used for Domino SAML and Notes NFL. Although the process is not overly complicated, there are some “gotchas” you need to keep in mind in order for this process to go smoothly, which I will try to describe before going through the actual process of changing the certificate.
Keep in mind that, as soon as you change the certificate on the ADFS Server, SAML/NFL on the Domino/Notes side will not work properly. As there is no Configuration Document in the IdP Catalog which corresponds with this certificate, thus Domino will just drop the Requests signed with the new ADFS Certificate. In this case, you will get the following errors:
SECCheckAndParseSAMLResponse> Signature verification check failed : Could not verify cryptographic signature
SECCheckAndParseSAMLResponse> Exiting : Document has been modified or corrupted since signed! (signature)
Needles to say, this will lead to the SSO Process not working and many angry users…
To remedy this, plan the certificate change so that the impact on the client machine is minimal.
For NFL to work, you need to roll-out the new ADFS Certificate (in case if you are using public CA, you need to roll out the Intermediate and the CA certificate). You would do this via Notes Client Policy, Security Settings. This is not a big deal, but keep in mind that after setting the Policy, the Users need to successfully log in, for the Notes Client to pick up the change and get the new Policy together with the new ADFS Certificate. I have seen some environments were the Notes Client needed multiple restarts to pick up the change.
Now, think about this, the certificate is expiring, and you have to change it in the middle of Christmas holidays, meaning most of the Users are on vacation, so you go ahead, do everything perfectly. But as soon as your users get back from the vacation, they try to login and they get the beautiful error message stating that NFL is not possible at this time and their Notes ID Password is requested. Resulting in Helpdesk calls… Only after they enter the ID Password and successfully login, the Client will get the new certificate and in the future the login will be possible.
In order to get around this, I would recommend rolling out the new certificate as soon as possible, before actually changing it on ADFS.
The worst scenario is using the wrong certificate, so make sure that the Certificate you are using meets the Requirements. If you are using a Self-Signed Certificate, then it must have the “keyCertSign” (also know as “Certificate Signer”) and “cRLSign” (also known as “CRL Signer”) in the “Certificate key usage” field. To check this just open the certificate and inspect that field. If the certificate does not contain these fields, than you will get the following error when you try to create a Cross Certificate from it in the Domino Directory:
“A cross certificate will not be made due to key usage restrictions in the input certificate.”
It also needs to be a “SHA2” or higher. For the full list of Certificate Requirements and more, please read the following article:
https://www-01.ibm.com/support/docview.wss?uid=ibm10718435
If you are using a certificate from the public Authority, then the purchased personal certificate will not contain these values, but this is not a problem, because you can just import the CA and all Intermediate Certificates in the Domino Directory and cross-certify them. After that you can roll-out the the Cross-Certificates via Notes Policy Document.
One customer is planning to use their own internal Windows Certificate Services or Windows PKI, I opened a Support Case regarding this, and got a confirmation that in this case you can also use the CA Certificate of that Authority. We still have not tried that and I didn´t have time to test it out in my Test Environment, but as soon as I have done so, I will post the results.
If the CA and Intermediate Certificates do not change, then you can skip the step of importing and cross-certifying these, as the mentioned certificates do not change.
I am honored for being invited to one more Domino Jam in Vienna, this time, for the V11 Version. After a brief session of what the future has in stores for us and the rules by which the “brainstorming” sessions are going to take place, we all got a few block of “PostIt” paper, from Thomas Hampel who was leading the Event, and started “cracking”.
Here are some photos of the result:
It was nice to see that IBM & HCL are putting, once again, so much effort in the these sessions, you could clearly see that they care what the users think. At the end we had a chance to talk with Richard Jefts, Thomas Hampel and Uffe Sorensen about the plans that HCL has for the Domino & Notes Platform, and what we got to hear, didn’t differ much from the main Ideas that came out of the event. This is what I liked the most, the chance to talk with people who are responsible for the platform, and they also didn’t shy away telling what is not the focus of the next release and which features won’t be implemented in the V11 Release, what possibly was the best thing, showing where the focus lies, getting everybody on the same page and not rising any false hopes.
At the end of the event we got the Information that we should expect the V11 in the November of the 2019! I surely can’t wait to drink V11 Beer in Vienna! 😉 This event was definitely a nice experience, and I can only recommend it to everyone, if you you are interested, than please make sure to register for the Domino Jam V11 event near you:
Like always the Organisation in the IBM Client Center Vienna was great, a special thanks and big thumbs up to the Austrian IBM Team, as to Richard Jefts, Thomas Hampel and Uffe Sorensen for coming to Vienna personally.
For everybody working in ICS, next week is going to be pretty interesting,
Domino 10.0.1 together with Notes Client 10.0.1 (including the Mac Version) is going to be published next week, on December 18th, to be precise.
Verse on-Premises 1.0.6 is also coming out, I just can´t wait to start using it, because if I remember the feature list correctly…ics….support….. 😀 Fireworks! 🙂
The new Domino Community and Notes Community 10.0.1 Server will also be released, so the developers can develop their applications on Domino without any licensing costs. There was also a rumor to change the license so it can be used in production (FOR FREE) for a certain number of users, also for MAIL. I think this is a great idea. Create a few Docker Containers for Mail and Development, no Licensing Costs, imagine that!
Every now and then we have a customer who would like to use the IBM/HCL Notes or ICAA Client on Windows Terminal Servers, but this is officially not supported. Since a few days there is an Idea on “Domino Product Ideas” forum regarding this.
So if you are a customer or another Business Partner who would benefit from the Support of IBM Application Access on Windows Terminal Servers, please vote for the following Idea:
https://domino.ideas.aha.io/ideas/NTS-I-489
With IBM Domino/Notes 10 Beta 2 released recently, I am extremely excited about the new version. I think that Domino and Notes was never at better health, we have many new features announced, many off them implemented in the Beta version and the marketing has gotten a lot better.
If you are interested about the new features and the Domino and Notes roadmap, feel free to contact me. Look, I also have my first IBM Badge to brag about it. 😉
I am also very happy for being allowed to be present at the World Premiere of the Domino V10 in Frankfurt on the 9th of October. There will be a live-stream available of the event, so make sure you registered.
Thoughts about HCL Connections, Domino and Sametime 