Writings mostly about Lotus Notes/Domino...by me :
Jesper Kiaer,Espergærde, Denmark

Looking for a Notes/Domino developer? an Apache Solr Expert? ..'m available

RSS 2.0 Feed
Bookmark and Share
Synology Cloud Station - Important update 4.2.1-4374 ... much much improved performance
If you have been using Synology Cloud Station for instant backing up files from your PC/Mac to a Synology NAS, you have must likely been very disappointed with the performance.

It has been REALLY slow and Synolgy NAS running at 99% in CPU usage.

Well good news ...update your Synology NAS to the new Cloud Station version 4.2.1-4374 and you client software too.

You will now experience performance has improved manyfold! ...and it is actually very useful now :-)

Published by: Jesper B. Kiær at 23-11-2016 09:58:34 Full Post

The non-existing Fix Pack 7 for IBM Domino - Notes is to be released in September
The Fix Pack 7 for IBM Notes/Domino is to be released i September 2016.

However is seems to be non-existing..?

If you look at the actual fixlist with the list of fixes, it does not contain anything for FP7.

So is IBM transferring the fixes from 9.0.2. to FP7 ..or what is going on?

We will see in September....(but still strange).

Published by: Jesper B. Kiær at 01-08-2016 Full Post

From IBM Support a warning ...load compact -replica may cause loss of data


Modifying documents while compacting with -replica may lead to data loss.

Quite serious since the hole point of using the -replica option is that the database should be accessible while compacting...well it is accessible ....but you may loose your data it you modify data...

IBM Solution: Don't use Compact -Replica while the server is online ...(??)

Published by: Jesper B. Kiær at 31-07-2016 17:38:00 Full Post

Read and write to the MS Windows Registry from Java
Sometimes you need to read or write to the MS Windows Registry (be careful!).

This can normally not be done from Java, but by using JNA you can access the MS Windows API.
In JNA a lot of the MS Windows API has already been mapped so it is ready for use.

This is a short simple example on how the get the installed Flash version:

	if (Advapi32Util.registryKeyExists(root,keyStr)) {
	}else {
		System.out.println("Could not find " + keyStr +"\\"+valueStr);

This will print: 21,0,0,213

Take a look here for the other methods for handling the Windows Registry:


Published by: Jesper B. Kiær at 15-04-2016 16:50:00 Full Post

Don't install the IBM Notes 9.0.1FP5 SHF106 - it will break your OpenNFT Extlib installation
The other day I upgraded my IBM Notes client with 9.0.1FP5 SHF106 and all went well.

However when I open my designer the OpenNTF ExtLib was gone..??

So I tried to install it again from my update site NSF, but all I got was this error

So I then tried to upgrade another PC with the fixpack.

Unfortunately with the same result and it too broke the OpenNTF Extlib with the exact same error when tried to install it again.

I have no idea how to fix it .

Sometimes I really just hate the IBM Domino Designer...

Published by: Jesper B. Kiær at 26-12-2015 00:17:45 Full Post

Security hole leaves IBM Domino server wide open - Part Two
The Security Issue

In Part One I wrote that is recommended by IBM to set "HTTPEnableConnectorHeaders=1" in the notes.ini file when having a Reverse Proxy, IBM HTTP server etc in front of a IBM Domino server
This makes the Domino accept and understand some predefined HTTP request header fields.
One of the predefined HTTP Header fields is:

$WSRU: "The remote user specified for the given request"

When IBM decided that the IBM Websphere server and the IBM Domino server should work together, (meaning access "old" Domino data via the Websphere server) they chose to do it in a "convenient" way, but from a security standpoint .. a horrible way .
You would most likely authenticate and log in at the Websphere server and if needed you could then access a Domino server by the Websphere server adding some predefined data to HTTP headers when sending the the request to the Domino server.
However IBM thought that since you had already authenticated on the Websphere server, you should not need to authenticate again on the Domino server.
Instead of making a proper secure solution they decided that just by adding the username to the $WSRU HTTP header field in the request to the Domino server, it should accept this as the user and give the user access to the server.

What do this mean?
It means that if "HTTPEnableConnectorHeaders=1" is set in the notes.ini file

ANYONE can impersonate who ever they want in the Domino Directory!! ...why not go for an administrator with full access? :-)

All you need is a username or maybe even just a shortname, ....NO password is needed !!
You just need to set the HTTP header field $WSRU in the HTTP request to Domino server
You can do that in one line in Javascript, Java ...even in Formula language in Notes/Domino

The simplest way to test this elevated access is to use an "add on" your browser which adds HTTP header fields to your requests to the IBM Domino server.

This is not a bug
This is not a security bug and anything like it.
It is (in IBM lingo) "working as intended" .. just in this case a horrible design and implementation.
To show you that is in fact true what I am claiming ...I have made this short video showing the security issues in IBM Domino.

So you think you can lock down you Domino anyway?
Well you could do something like

- setting a Firewall to only accept HTTP from the Reverse Proxy
- locking down network interface to Localhost

but it is not going to seal off your Domino server.

Anything on the server with HTTP capabilities still have full elevated access with no need for password. This could be Agents, XPages, server scripts..you name it
One tiny error in you trying to seal every HTTP hole and.....

Believe me this not the route you want to go.

Setting "HTTPEnableConnectorHeaders=0" in the Administrator
You should always use the administrator to set notes.ini variables via Configurations documents.
In case someone changes values directly in the notes.ini file it will get overridden and corrected again when the server is restarted from the values in the Configuration documents .

Go to the Configurations tab.
If there is no Configuration document for all servers (*) consider creating one. Otherwise you must edit the configuration documents for each server.

for all servers

Goto to the NOTES.INI tab

Click the Set/Modify button

Either select the present setting for HTTPEnableConnectorHeaders if you have one or create a new one.

set it to 0 and save.

Restart the servers when appropriate

Published by: Jesper B. Kiær at 29-10-2015 00:21:00 Full Post