Wednesday, 24 April 2013

Designer keep crashing? Unable to delete apps? Notes client really slow? Something to try.

As a Domino Administrator with a smidge of Design skill I am constantly using all three Notes clients during my working day. Over recent weeks, I have found my Notes 8.5.3 client getting slower and slower and some other issues which were more worrying, such as:

  • Unable to delete Notes applications either from Local or from a server. (Notes just crashed).
  • Opening Designer crashed Notes immediately.
I tried the following to fix it:
  •  Installed FP3.
  • Offline compact, fixup and updall against the entire data directory.
  • Ensured that ODS was updated to version 51 on all system databases.
  • Uninstall / Re-install the application (after a registry sweep to ensure all gremlins were gone).
  • Disable all client add-ins (there was just one).
I found a few forum threads and blog posts which suggested that the bookmark.nsf might be "corrupted" so I thought I'd focus on that.

(Corrupted is a word which gets used far too often in Notes world in my view! If the file were really corrupted, I wouldn't be able to use the thing at all, right? I'm pretty sure I'd struggle to find a dictionary definition for "corrupted" meaning "kinda works sometimes").

So I renamed bookmark.nsf to oldbookmark.nsf. On restarting the client a new bookmark.nsf was spawned (you need a bookmark.ntf in your data directory if that doesn't happen for you) and suddenly my issues went away.

What have I lost by doing this? Actually, not much. Here's what I found:
  • My client preferences were retained.
  • My Domino Administrator server bookmarks and domains were retained.
  • My Domino Designer bookmarks were retained.
  • My workspace icons were retained.
but...
  • My homepage was lost (I was only using the default anyway - no big deal).
  • The links in my "Open" list (I had links to my Traveler.nsf and a couple of spreadsheets there) were lost.
So, I've lost very little, but gained a client which works at an acceptable speed, with very little data loss.

I highly recommended this to anyone else who has been suffering from the same issue!

Monday, 8 April 2013

Mail encryption using IBM Traveler in a multi-domain environment

Lots of members of the Notes blogging community share stuff all the time. I'm not one of them, I know that, but I thought I'd share this with you.

I remember from Paul Mooney's presentations at IBM Connect (I think it was the AdminBlast) strongly advocating keeping your Traveler server(s) in a separate Domino domain to your production mail environment.

This is because Traveler is constantly being updated to support latest devices and features, administrators should keep the Traveler server running the latest versions and patches for Domino and Traveler, regardless of whether you're running version 8.* or 9.*.

Similarly, best practise suggests that administrators should keep Sametime servers in their own domain too. Let's face it, Sametime is a very delicate little flower, it needs a lot of love, care and attention when patching, so you might not want a Domino 8.5.3 Domino Directory running on your Domino 8.5.2 server running Sametime 8.5.1. Actually, that combination probably works but you get the idea! :)

Anyway, here's the issue...  

By default, Traveler will tell your users that mail encryption will work, but actually it won't. 
 
I assume the following:

1. You're running ID Vault on your mail servers.
2. You're users have not uploaded their Notes ids to their mailboxes to access encrypted content via Domino Web Access.

Here's the evidence for the prosecution:
  • My Traveler server is in a separate domain to my mail servers.
  • The following information is displayed when dumping a user's Traveler profile to text:

    "Notes ID: Mail File does not contain the Notes ID."

    "Encrypting, decrypting and signing messages are enabled because the Notes ID is in the mail file or the ID vault."
  • When the user tries to open an encrypted email, the user cannot access the email. You get different behaviours depending on the device. In my testing:

    - iOS: Error: "There is no Notes id for your user on Traveler"

    - Android: There's no error message. When the user clicks the Download button in the message, he is prompted for his Notes password. The device hourglasses for a moment and then the email is not displayed.
Explanation
Simply put, ID Vault does not authenticate users across domains. There is an IBM SPR about this (SPR #YDEN8FFERA) which you can log a feature request against.

My frustration here is that Traveler says that access to encrypted emails this way will work, but in fact it doesn't.
Workaround

The easiest way to fix this is to advise users who want to access encrypted emails through their devices to upload their Notes id to their mailboxes. This can be done from your Traveler server's website. All they need to do is:
  1. Log into the Traveler server's website.
  2. Click "Manage the Notes id".
  3. Click "Upload the Notes id".
  4. Browse to the Notes id file, and enter the password for the id as shown.











 Another workaround to this issue would be to automate the addition of Notes ids from ID Vault into the user's mail database. A third party tool is available to do this (I've not tried it, but I'd be interested to know if you have!) provided by Helpsoft*.

Another workaround might be to move your Traveler into the same mail domain as your servers. If you're happy keeping your mail servers at the latest-ish release of Domino, then you'll probably be ok. Just be careful with those Sametime or Quickr boxes though.

* I am in no way affiliated with Helpsoft, but I have been a very satisfied user of some of their products for some time.