Working with Views outside of .nsfs

Ok, so it’s been a long time coming.  Been promised and “in the pipeline” for a long time.  Well with Domino 9.0.1. Feature Pack 8 we can now move views outside of .nsfs.

Why would you want to do this?  Well the two primary reasons:

1.  For potential performance improvements on large databases.  This is a simple statement that assumes much.  Generally it assumes you can re-point the views (to another dedicated physical disk, or dedicated LUN), though there would generally be performance improvements even if you didn’t.  There may be many other reasons why your database/application isn’t working as well as it should.  Contact us and we can set up a review for you.

2. To improve back up speeds on weekly full backups.

I say weekly backups explicitly here, as unless you’ve a really small footprint of disk, (or have some other compelling reason) you should be ONLY backing up archive based transaction logs, every day.  Please again contact us if you are not.  It is relatively straight forward to implement and it will improve the amount of time backups take (As well as allowing point in time recovery).

So how do you implement views outside of indexes?

Read Full Post

Working with SHA-2 in Domino

Any production web site on Domino will have been flagged for months (if not years) on lack of support for SHA-2.  Since the poodle scares last year, a lot of third party certifiers made the decision to no longer support SHA-1 certs, just in time for Domino to begin supporting SHA-2 (phew).

So by now you’ll probably be aware of the prerequistes

and the steps from IBM to a point are actually very clear. (though it does make sense for it to be packaged in the server certificate admin tool soon – please IBM)

There’s two steps that need to be different though.  The first is the same with any third party supplier of certs and that’s getting the correct root and intermediate certs for your SSL cert.  That’s a problem independent of Domino though and anyone who has installed a cert previously will have done similar to this.

The second issue is the step:

“6. Import the RSA keypair and self-signed certificate into the new keyring file

6a. Concatenate server.key and server.pem into a single file:

This step varies from the self-signed case. You will have more than one certificate in your “.pem” file, and will want to place them in order with your server’s SSL “leaf” certificate first and the root certificate last. Verify step 6b will check to ensure that the ordering is correct. If it returns any warnings or errors, edit the PEM file and verify it again.

Note the following:

  • Certificate Authorities will frequently return a signed certificate in a .crt file. If they also provide the root certificates when returning the CSR file, then you can concatenate all of the .crt files to the private key by using the “type” command from a DOS prompt.
  • The files should be concatenated with the server key first, the server’s cert next, the intermediate cert next, and the root cert last. Concatenation can be done from a DOS prompt using the TYPE command. The type command takes a list of files, and appends them together into an output file designated with a greater-than symbol. For example, type server.key server.crt intermediate.crt root.crt > server.txt In this example “server.txt” is the file provided to the kyrtool for import into a Domino keyring. You can display this output file in Notepad.
  • If the root and intermediate certs are not provided with the signed certificate, export the intermediate and root certificates by opening the server certificate with Windows Crypto Extensions. This will display the server in a three-tabbed user interface. On the third tab, select each of the signing certificates, select display, and then export that certificate using the “save to file” command on the second tab. Save each cert file using Base 64 format.

I’ve had continious issues with concatenating certs using type server.key server.crt intermediate.crt root.crt > server.txt

The last cert usually gets cut off (you can see when you open server.txt)., but it’s not immediately obvious and you get various errors saying the chain is invalid if you go any further.

The simple workaround is rather than concatenating all the certs in one step, simply do them one by one.


type server.key >key.txt

type server.crt >sslcert.txt

type intermediate.crt > intermediate.txt

type root.crt > root.txt

Then create a new text file in notepad called server.txt, and manually copy the contents of key.txt, sslcert.txt, intermediate.txt and root.txt in one by one.  The rest of the steps should now work for you.

Let us know if that helps or if you’ve any more gotchas!

Cormac McCarthy – Domino People Ltd


Unread marks auditing plus Design Dumps…

Every Domino Admin worth their salt will have experienced  incidents with unread marks not working correctly and will have “fixed” these in variety of ways, mainly either marking all documents as read, or exchanging unread marks between replicas

There’s another type of unread marks issue, where someone wants to audit unread marks (i.e. find out who has read a document and when).  Well IBM can provide with a free auditing tool that does just that (amongst other useful Developer type functions).

From the about page of application:

“Welcome to the Toolbox Database


The Toolbox database (toolbox.nsf) is designed to help administrators or advanced users troubleshoot issues with Unread Marks in a Lotus® Notes® database.  It can also be used for troubleshooting replication issues and design template issues.  Currently there are six major features in the Toolbox database. These are as follows:

  • Dump design documents: This feature enables users to dump information about all design documents in the database. Toolbox provides information on these attributes: NoteID, UNID, Sequence Time, Sequence, and UpdatedBy.  The output is sorted by Class Name and UNID.  This feature enable users to quickly identify who updated design documents, when they where updated, and how many times the documents were updated.
  • Dump design documents (long format) : This feature is the same as “Dump design documents” but provides more detailed information about each design document.  Additional information includes the document Title, Creation Time, and Last Modification Time.
  • Dump the NoteID and UNID :  This feature dumps the NoteID, UNID, Create time and Last Modified time for a database, database view, or single document to a log file. This log enables the user to take a quick inventory of the documents in the database or view. Then, when unread marks or replication issues are suspected, the user can dump the NoteID and UNID log again and compare the two logs to identify which document was changed.
  • Dump unread activity logs (local db only) :  This feature dumps the user’s unread activity log for a database, database view, or a single document to a log file. This feature works only on a local database that is not encrypted.  Also, the database must be enabled for unread replication.
  • Dump unread mark list : This feature dumps the unread mark list for a database, database view, or a single document into a log file. This feature works for any accessible local or remote database. This feature works only on a database that is not encrypted.  Also, the database must be enabled for unread replication.
  • Toolbox Add-in Menu : This feature adds the following Toolbox menu items to the Actions menu:  “Display info on selected Document”, “Dump design documents”, “Dump design documents (long format)”. These menus are enabled whenever the user is in a view to execute the action.”

There isn’t an Internet link per se for for the tool, but if you ask IBM Support nicely for it in a PMR they will provide it for you and it is intuitive to use.  IBM should probably have a technote on this as I think people would use it if they knew about it and it was freely downloadable (IBM take note !).

Please let us know if you end up using the application as a result of this post!

Cormac McCarthy – Domino People Ltd.


Traveler 9/Apple issue – “mails from other people appear to come from me”

An issue was reported by multiple users on a customer site recently.   Since a Traveler 9.0.1 upgrade :- mails coming into user’s inbox that are from external Internet senders are showing up in the “who” column as being from the recipient’s name rather than the sender. This is only for some mails though, not all.

The first steps taken were checking the SMTP headers to see had the message been modified by the mail gateway (McAfee).  Everything looked normal.  Checked the Domino logs, nothing unusual there.

Eventually we figured out, the common linkage was that the messages effected were last modified by the Traveler server.  The issue affected Traveler 9 users (who are all Apple iPhone/iPad users on this site) setting follow up flags from their devices.  Once a follow up flag is set on an external sender mail, then the “Who” column displays the person who received the mail rather than the sender in the Notes client (It remains fine on the iPhone/iPad however).

After opening a PMR with IBM, they  didn’t offer an immediate solution but started using the term “principal” field and have escalated to development (at the time of this writing we are still waiting to hear back) we managed to search online ourselves and find this –

I have to say the title “SET AS FOLLOW UP MAY SET PRINCIPAL TO RECIPIENT” isn’t intatuively understood, but when we read :-

“If user flags a mail for follow up on a Mobile device and the message does not have the standard Principal field, Notes Traveler will mistakenly set the user as principal instead of the sender. This problem is only seen with the 9.0.1 Gold release.”

We understood the issue was exactly the same as ours, though it wasn’t exactly easy to find.  The issue is fixed in 9.0.1 IFI 1.  We’ve installed 9.0.1 IFI2 and the issue was resolved. Implementing the fix does not change back mails that were previously “changed” by the Traveler server.

Quite a simple fix, but even IBM’s own support couldn’t tell us the documented fix!

Another example of the good practice of ensuring that your Traveler server has the latest fix packs and interim fixes applied.

Hope this helps someone else out!  Let us know if it does.

Cormac McCarthy – Domino People Ltd

Domino 9 – DBMT in program documents

The Database Maintenance Tool in R9, promises an awful lot; essentially, that it does everything compact, fixup and updall does, with more options including:

  • controls on number of threads for each task
  • conditional options such as running a fixup if compact doesn’t run a certain number of times
  • all from one single command/program document.

However, I’ve come across this on a couple of sites.  Admin is “trying out” new R9 features.  Admin reads help files for DBMT and gets really excited.  Admin tries a load DBMT command, it works, Admin tries to to turn on DBMT via program documents.  Admin gets “invalid syntax error”.  Admin thinks it doesn’t work and continues to compact, fixup updall individually via program documents as before.

The issue here is that DBMT will only work in a Program Document when it’s set to run “At Server Startup Only”.  i.e. the “range” switch is used to set which times it runs. It does say this in the help file, but it doesn’t highlight it particularly well, and isn’t particularly intuitive.

For all those who’ve been caught in this scenario here’s an example that works:


(runs with 4 compact threads, 4 updall threads from 3:00am to 7:00am, it will run a fix up on Sunday if there hasn’t been a valid compact for 5 days for more on the different switch options see here).

When the server starts you’ll see this task, it gives you the details of the current DBMT task:-

(what the DBMT program document was set to before server before it was restarted)

Note if you do not want the next DBMT to run, you can issue a “tell ndbmt quit” to the Domino Console.

Then when it’s in the time specified in range, you’ll see the threads under server tasks:

And when it’s run successfully, you’ll see the following statistics the console/log:


Let us know if you found this useful.

Cormac McCarthy – Domino People Ltd



New iNotes 9.0 Undocumented Security Feature.

In iNotes on a Domino 8.x server you can view encrypted mail over http, once you’ve uploaded your ID.

In iNotes on a Domino 9.0 server you get this message:

It’s an interesting that this is now forced, I haven’t seen it documented anywhere.

Not that we’d recommend that anyone use HTTP for any production releases of iNotes!

Cormac McCarthy – Domino People Ltd