---

---

I am really looking forward to the release of the 64 bit HCL Notes Clients later this year.

I tested the 64 bit clients (Notes, Admin and Designer) earlier this year and it was a good experience despite it being a beta version.

It seemed faster than the normal 32- bit version and just as stable.

Normally I can only shutdown my 32 - bit Notes, Admin and Designer correctly 50% of the time,

The other 50% it will crash doing shutdown and hang. The hanging Notes tasks would then have to be killed in task manager.

I did not experience that at all with the 64-bit version.

Unfortunately I had to uninstall due to a fatal bug in the designer, but this is to be expected in a beta version.

---

---

I have posted some things in the last few days about a potential issue with passthru in Notes/Domino.

That was the wrong way of doing it, and I really am sorry for that.

The right way is of course to run it by HCL and have them look at first ...and shut up in the mean time.

No excuse.

---

---

It is a wonderful and very insightful interview with Ray Ozzie on subjects like PLATO, Lotus Notes, Groove, Microsoft and more.

It is a bit long 4½ hours, but it does not feel that way.

Highly recommended! :-)



You can also get the transcript of the interview here

---

---

It had bothered me for some time and I just had to get it out my system, and on to the next thing on my very long "To do" list. Sorry.

However I will be very glad if HCL would come forward and in a clear way state ...there is no security issue and explain what is going on in the Domino server when using PassThru.

They are then free to call me an idiot afterwords :-)

HCL Software does not have a Security Bounty Program
However to add to the mix of all this ..I do not understand why HCL Software do not have a Security Bounty Program ?

https://www.hcltech.com/software/psirt/hcl-software-vulnerability-disclosure-policy

An easy way to report security issues.

Every other big software company does.

"Domino Does Not Get Hacked. Ever."
HCL writes this on https://www.hcltechsw.com/domino/domino-security-is-best

Now that is of course a stupid thing to write ...because there is no software which is completely unhackable and safe.

For one I wrote about the highly insecure ... (Websphere) connector

Security hole leaves IBM Domino server wide open - Part One

A feature which HCL ended removing from Domino beginning in V12.0.1 due to its potential security issues

(and bringing it back in V12.0.2 .....why??)

Yes, HCL Domino has a great security model, because it is simple and logical in its nature.

But anyone who has worked with Notes/Domino for years knows that it is not perfect and has its cracks here and there.

Support Case
The reason I did not create a support case is that I do not have access to create a support case.

I am a BP and but I do not have access to create a support case.

I did try many to times to get it fixed and get access to support, but in the end I just ran out on energy on the matter

Instead I have since created many cases through a customers support account, so I believe I have done my share :-) ....

---

---

The idea of the Domino Passthru server

The idea of a Domino as a passthru server is a bit like a Reverse Proxy.

If you have 5 Domino servers on your internal network, and only one external IP address, it can be difficult to get access to more than one Domino server from the internet.

To remedy this you can set up the one Domino server you can access from the internet to be a Passthru server.

This server can then redirect the income traffic to the relevant Domino server. Pretty smart and very simple to setup.

However....


Real life ... broken security
We were all trusting IBM and then HCL that security is in good hands. In general it is ..

HCL has done a lot of catching up the last years to get "up to par" with the security and standards generally used in other products.

But somehow Passthru seem to have fallen between the cracks

In the old days you could not see if a connection was secure and encrypted on the console you had to trust IBM/HCL things were working.

But nowadays you can set these settings in notes.ini to get valuable information

log_authentication=1

DEBUG_PORT_ENC_ADV=1


The server then will show details about the connections to the server

Example:

T:AES:128 E:1: P:t:e S:AES-GCM:256 A:2:1 L:N:N:N FS:DHE-2048+X25519

The E:1 in the connection details show that the connection is encrypted

(Read more here: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0040530)

But if you have a Notes client trying to use the Domino server as a Passthru server you will see this too:

T:AES:128 E:0: P:p:e S:RC2:0 A:2:1 L:N:N:N FS:

As you can see now the connection is no longer encrypted!

All Domino servers here have a port setup to force an encrypted connection in their port settings. The Notes client here is also setup to use encryption.

And yet if we look at the connection details when server is accessed as a Passthu server there is no encryption at some point.

This is bad, ....it is actually really bad.

Mostly because I had been using Passthru for years .... that scares me a bit

but also because I have been thinking I have been in good hands with IBM/HCL all these years...but maybe have not.

There may be a good explanation and calming words from HCL ...but I doubt it

Next step would of course be to use a network sniffer to monitor what is actually happening

From the console it seems that it is the connection used to authenticate at the Passthru server that is not encrypted and that connection to the destination server does get encrypted


Am I hit?
If passthru is enabled on the Domino server, you are out of luck.

"But I do not use a Passthru connection from my Notes client!" ..... if your Notes client is trying to reach any unreachable server...it will try to use Passthru in the end, and connect unencrypted.

Most likely this will happen, since you will not have access to all of your servers at any given time.

Something like a scheduled replication may even trigger it.

Even trying to access a fake server name will start a Passthru connection.


It is easy to test your Domino setup yourself
Enable Passthru on the server.

Do a trace and see what it writes on the console


Hopefully HCL will explain what is going on and fix the issue with Passthru servers in a release soon


Advice - how to disable Passthru

Server:
In the Server document make sure to remove ALL data in the "Route through" field. Anything in there and the server is then a Passthru server


Client:
In the local address book remove any connection documents using Passthru as way of connecting to a server

This is what a Trace should say if server and client are correctly setup:

---

---

I had a really bizarre experience with installing (as additional Domino server) and running Domino V12.0.1 on a Windows Server 2019 running Active Directory.

First I would repeatedly get this error "Entry not in index":




the first times I tried to install and the installation would stop.

This is of course a useless error message.

It seemed to be some access issue in the server document that was not correct.

After fixing this it would install but seems to skip many steps present in V11. Do not know if that intended

After installation, running the server for the first time, I would to my surprise get pop-up error message:
"Launching the Domino server on a Active Directory Domain controller is not allowed!"



and then when clicked OK, the server would start but give errors and in the end remove some of the Domino .exe files.


...really bizarre!

I would then have to reinstall Domino again since the .exe files were deleted. Starting the server ....every time ....the same would happen.

First I thought it was some Windows Policies that prevented Domino from running, but it was not

I found a HCL support document about a similar error in the pop-up box

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0093894

The fix
Since nothing seem to change to matter what I did, I thought I would try installing V11 instead.

I am glad to say the V11 version started without any of the same issues.

So this is the fix for now.

I have not dared to upgrade to V12 afterwards to see what happens...feeling very tired...

Read More

---

---