Search this blog...


Open Mic Webcast: Increase Connections Adoption By Socializing Your System Monitoring Data

Why not integrate Connections into how you share user/client response time data for Connections and its various supporting components? Join Jim Dewan as he describes how to incorporate Connections into your software solution monitoring/troubleshooting and performance analysis.

After a presentation, attendees will be given an opportunity to ask our panel of experts questions. Throughout the event, attendees will also be encouraged to comment or ask questions in the IBM Connections Meetings Web chat.

Topic: Open Mic Webcast: Increase Connections Adoption By Socializing Your System Monitoring Data
Date: Wednesday, February 4, 2015
Time: 11:00 AM EST for 60 minutes
Webcast URL:
Webcast Password:  webcast

For a list of world-wide phone numbers, the phone passcode, and an iCalendar (.ics) file for this session, click here:

Note: Audiocast will not be available for this session. An audio replay of the session will be posted to Technote 7044493 soon after the even

Warning – Microsofts Outlook app for iOS and Android breaks your company security

Regarding the blog of René Winkelmeyer there are security holes in the Outlook for iOS and Android clients which was released on Thursday, January 29th. René checked the client and found out following security breaks ( thanks to René for posting ): 

File sharing capabilities

The app has built-in connectors to OneDrive, Dropbox and Google Drive. That means a user can setup his personal account within the app and share all mail attachments using those services. Or use files from those services within his company mail account. That’s a data security nightmare.

It doesn’t matter if you’re using a containerized solution like the Apple built-in separation of managed and unmanaged apps. The same applies to every other container. The communication is app-internal and you cannot control that.

Shared Exchange ActiveSync ID and device type

It gets even more worse. Each ActiveSync client normally has a unique ID for data synchronization. That allows administrators to distinguish a users devices. Microsofts Outlook iOS apps doesn’t work that way. The app shares the same ID across all devices of a user. And it seems like one device!

That means: If a user installs the Outlook app on his iPhone and on his iPad it’s seen as one device. There’s no way to distinguish if it’s an iPad or an iPhone. Nada. Niente. Using device approval on Traveler won’t help. It connects as “one device” – and you cannot control that. That’s a security nightmare.

Microsoft has your credentials

Now to the worst part: Microsoft will get and store your mail account credentials in the cloud if you use the iOS Outlook app.

When I setup the app I’ve been asked if I want to receive push notifications. As a “regular” user I accepted (click, click, OK). As an iOS developer I was wondering why the app wants to send me push notifications. Push notifications are normally triggered by a remote server. So I ran a quick test:
  • I stopped the app (removed it from the list of active devices).
  • I sent myself from another account a test mail.
  • I immediately received a push notification about new mail.

That could not be true. Either Microsoft was doing some magic iOS stuff that I’m not aware of. Or they are using a central service, using my credentials, to monitor my ActiveSync account. So time for another test:

  • I put all my devices in airplane mode. So there could be no communication.
  • I opened the access_log of my Apache server (which sits in front of my Traveler server).
  • There it was! – – [29/Jan/2015:16:19:50 +0100] “POST /traveler/Microsoft-Server-ActiveSync? HTTP/1.1? 200 25 “-” “Outlook-iOS-Android/1.0?

What I saw was breathtaking. A frequent scanning from an AWS IP to my mail account. Means Microsoft stores my personal credentials and server data (luckily I’ve used my private test account and not my company account) somewhere in the cloud! They haven’t asked me. They just scan. So they have in theory full access to my PIM data. 

Block them – NOW

The only advice I can give you at this stage is: block the app from accessing your companies mail servers. And inform your users that they shouldn’t use the app.

If you have a reverse proxy in front of your IBM Notes Traveler (or Exchange) server you can use a partial check on the HTTP User-Agent and block everything that contains “Outlook-iOS-Android”.
If you don’t have reverse proxy in front of IBM Notes Traveler you can use the Traveler settings to disallow this device type (i. e. using the notes.ini parameter “NTS_USER_AGENT_ALLOWED_REGEX”). You’ll find a detailed documentation how to handle this in the IBM Knowledge Center.

Also a great option to disable the access to your IBM Notes Traveler Server has been documented by Detlev Poettgen at his blog.

Or use their product midpoints traveler.rules which accomplishes the same (and more).


 It’s even worse (thanks @shadowBJ21 for pointing me to that). For those who don’t now: Microsoft has bought Acompli some time ago and “re-branded” their app to this new Outlook app. 

Last Updated: January 28, 2015

“We provide a service that indexes and accelerates delivery of your email to your device. That means that our service retrieves your incoming and outgoing email messages and securely pushes them to the app on your device. Similarly, the service retrieves the calendar data and address book contacts associated with your email account and securely pushes those to the app on your device. Those messages, calendar events, and contacts, along with their associated metadata, may be temporarily stored and indexed securely both in our servers and locally on the app on your device. If your emails have attachments and you request to open them in our app, the service retrieves them from the mail server, securely stores them temporarily on our servers, and delivers them to the app.”

”If you decide to sign up to use the service, you will need to create an account. That requires that you provide the email address(es) that you want to access with our service. Some email accounts (ones that use Microsoft Exchange, for example) also require that you provide your email login credentials, including your username, password, server URL, and server domain. Other accounts (Google Gmail accounts, for example) use the OAuth authorization mechanism which does not require us to access or store your password.”


IBM CCM doesn´t display new created folders or files

Last week I had the issue, that I could not see a new created folder in the Connections CCM. The
browser looked the following:

But the created folder was correctly displayed in the MS Desktop Plugin:

After some investigation and also going through the logs of the CCM server, I found out, what caused the problem: it was the display option, why the file and the folder have not been displayed !! After switching from the preview list to the list option everything was displayed correctly:

Working as designed ???


IBM Notes/Domino 9.0.1 Fixpack 3 available

Today IBM released IBM Notes/Domino 9.0.1 Fixpack 3 including the following fixes:
( official fix list can be found here )

FP3 is available for download on IBM Fix Central.

BINN88QRPP Fixes issue where when using the Domino Andministrator client to delete users from the address book, the error: ""Error Looking up name on LDAP...
KLYH9Q3L4V Add support for TLS 1.0 inbound
ITDL9PWMFU Fix for CVE-2014-3566 - SSLv3 POODLE (Padding Oracle On Downgraded Legacy Encryption). Solution adds TLS 1.0 support all Domino protocols not covered...
PALT9P8JDG Fixes XPage mobile controls failing on iOS 8
DKEN9PJNGP SHA-2 capable tools needed to manage Domino SSL keyring files
KKIL9N4NXS Upgrades Ckeditor to to address a security concern in xPages
TCHL9JUNRW Includes file for better stack annotation with OSWalkStack routines
SSHE9FDJW5 Fixed an issue with ODBC causing a crash on 64-bit environments.
YSAI9PGCQN Domino 9.0.1FP2 Xpage does not show emoticon icons which were inserted in XPage 9.0.1FP2. This is a regression in 9.0.1 FP2.
DKEN9PJNBC Allow certreq.nsf to create SSL keyring files containing certificates signed using SHA-256, SHA-384, and SHA-512.
TAIA9L8ATH Fixes a problem where an attachment cannot be opened via the browser if it has Japanese characters in its name. This is a regression in...
GMAM9P4BR8 Three design elements get added to an NSF each time it is opened in Designer causing Domino to eventually hang.
JSCD9J7KS9 Fixes failure on saving new note using NSFNoteUpdate on an IMAP enabled database
NVJI9MHF3P Fixes Domino server crash at startup if transaction log is enabled and the notes.ini LOGGER_MQ_POOL_SIZE is used. This is a regression in...
DDEY9N8Q62 Change made to allow Domino data service to tolerate database properties changes made by Notes 8.5.2. This is a companion fix to SPR...
DKEN9PRNQT Changes to Notes/Domino's OCSP support to add SHA-2 capability
BGLN9NMEBY Fixes issue where adding toolbarType dojo attribute to an xPage no longer gets applied. This is a regression in 9.0.1 FP2.
MSER8WDJHW Fixes intermittent Domino server crash on 'object.ReceiveObject' due to a memory overwrite
YYYW9EPAGF Fixes intermittent Domino server crash on http: ccSTRIFindFirstMatchingTable
BGLN9NMEG7 Fixes issue in xPages where Camel case dojo attributes: "removePlugins", "tabSpaces", "toolbarLocation" are not applied.
ASHH9K55VR Fixes an issue where an attached file whose file name contains a fullwidth full stop character can not be opened from a web browser. In this...
MABT9JET6B Fixes error: "Failed Assert" when using the DXL export functionality of the C API.
KLYH9MKHPD Updated the embedded JVM in Notes/Domino to Oracle July 2014 Critical Patch to fix mutliple vulnerabilies. For more information see:...
MZHO9LT8HU The NSD diagnostic log will now contain the Java path and version information currently being used by IBM Domino.
DKEN9N8T3M Remove weak SSL/TLS CipherSpecs
BYAG9LD3PS Fixes performance issue with DAOS/NLO Restore on BRMS. Restoring some NLO files for Notes is taking up to 1 hour to restore 1 file. This fix controls...
MZHO9LT8MX Adds all information about JVM maintenance release(such as JVM SR15FP1) to the Domino console output
TTAN8RHJ7J Domino tasks that start and stop successfully on an active server result in <defunct> processes from the OS. These continued to build until the OS...
JKEG8YRGFN The TNEF Enable Conversion function does not work well when the mail's attachment's type is .msg
RGAU9MHH3T Fixed a potential security issue in the web server. This is a regression in 8.5.3 FP6.
VDES9D2BEG Fixes issue with Domino driectory that prevents some Traveler users from activating their Out Of Office. The error message: OOOAPI: Duplicate name...
GFAL9AKKJZ Adds ability to validate NLO files during resync, as well as utility to encrypt/decrypt/re-encrypt NLO files. See technote 1673931. This is a...
YDEN8RNH22 Support added for TLS 1.0 for SMTP
JPAI9CTMWE Fixed an intermittent issue that would cause a single Notes Database to be locked preventing anyone from opening the database until the Domino Server...
YSAI9CCBYG Fixes Domino Server crash when executing notesView.getColumnValues method, if there are many documents in a database.
DADS7TQLV2 Fixes Domino Server crash on nBes Crash during conversion when using the function call: ICConvertInlineFiles
PMAO9C6R9G Adds the ability to validate NLO files in DAOS repository. See technote 1673931. This is a companion fix for , GFAL9AKKJZ and...
PMAO9LM3E8 Adds ability to validate NLO files during resync, as well as utility to encrypt/decrypt/re-encrypt NLO files. See technote 1673931. This is a...
SKAI8DXFFW Fixes issue where authentication that has been enabled in the SMTP Internet Site Doc will not take effect immdediately, causing an error when a user...
ENOR7XQ2DK Fixes issue where mail from the UCMail8.ntf design is being archived before the archive criteria
JSHN9FUQJE Fixes Domino Server/Notes Client crash when exporting certain documents to DXL.
SKAI9Q7B33 Fixes issue where the HTTP task always rebuilds view of ($Servers) when Domino server starts. This is a regression in 9.0.1.
YMUI7S683F Fixed truncation issue wth the ID Vault Password Reset tool in the admin client when using the mail option.
WWAG9Q64YW Calendar entry shows one hour off after Jan 7, 2015 after Russian DST hotfix is installed.
KMOA9NEEX8 Fixes Sametime 9 startup issue after upgrade to Domino 9.0.1,
SWAS97JMU7 Fixes deadlock in container code between UBM & semaphores
KLYH9QXMQE Adds the ability to disable SSLv3 by setting DISABLE_SSLV3=1.
JPAI97GPRP Fixes Domino Server PANIC: MemFree: object still locked seen on Windows 64 bit.
PFIE9MRHVF Repeat all day events do not book the morning... should start at 4AM not 12:01 PM
DVDI9FJ9Q8 Fixes a bottle neck that can occur when a single collection in a single database gets into an invalid state and blocks opening other collections in...
QPGG9N5B93 REST API Calendar imports of all day events would fail if the end date and start date were the same.
SRAO98JTBV Fixes issue where applets fail to load an external jar file
RMAS9MSSEY The DTRACE debug facility may trucate debug output that is generated by TRACE_MSG function calls. This fix adjusts the buffer sizes to avoid the...
YDEN9KYL23 Fixes ID vault merge of certificates after certifier key rollover/user recertification
KMUR94NJPQ Fixes Domino Server crash on http task with PANIC: Object handle is invalid
KLYH9QQL2M IBM JRE / JVM in Notes and Domino upgraded with October 2014 update to address a series of java security vulnerabilities outlined in technote...
KLYH9QQL2M IBM JRE / JVM in Notes and Domino upgraded with October 2014 update to address a series of java security vulnerabilities outlined in technote...
JPAI9HKJZG Fixes error: Unable to extend an ID table - insufficient memory seen when running compact.
SSHD83UHMV Performance improvement for LDAP searches. This fix is disabled by default. Set LDAPUseViewSearch_LTPA=1 to turn it enable it.
XBXB9QCH55 Fixes issue where if a doc link created by AppendDocLink is sent to another database, the link can be opened in Domino853, but can not be opened in...
XXLI9RGAX9 Removes erroneous OS level warning message when installing Open Social Component
NXLE9FU7XR Fixes Domino Server crash on LongJmp Crash that occurs on Error handling
PALT9D65EN The Out of Office service is responding to the SMTPORiginator field for BATV enabled emails even though the server has the INI router...
MJBC9CXU6N Fixes password history being automatically enabled if user's id is vaulted and imported in mailfile via iNotes.
YXIG92GTJ6 Fixes ID vault crash
GTON9H6K7X CREATE_R9_DATABASES=1 not honoured through create replica adminp request. Adminp will check the ODS Level of the destination server's names.nsf and...
GLAG9MPRBP Fixes SAML audience check and reuse error messages displayed when unnecessary
RDJS9AT227 Fixes Lotusscript CopyToDatabase overwritting the ReplicaID of document links to the destination database. This is a regression in...
GFUR9N6LD4 Fixes performance issue when running DBMT. This fix adds a new option to DBMT to skip unread update processing. To use: set new notes.ini variable...
BBSZ9QSKAR Support is added for Vmware 5.5 U1
MJTM9HUT3C Fixes Domino Server crash with Error Message = Panic: Error Writing Checkpoint To System Log File.
RGAU8XFMDN Fixes issue with date/time fields in xPages by honoring past/current DST boundries.
KLYH9RMJGL Fixes the POODLE on TLS security vulnerability.


Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Official Step-By-Step guide

1. Before you begin, note the following information about running KYRTool & OpenSSL

    If you have a command line parameter with spaces in it, such as the path to a file, the space can cause the command line to be read incorrectly, resulting in errors. This can affect running commands for both OpenSSL and KYRTool
    To include a space in a parameter, the parameter must be delimited with quotation marks. For example, if Notes were installed in the Program Files directory, then the command line for creating a keyring might look like this:

kyrtool ="c:\Program Files\IBM\Notes\notes.ini" create -k "c:\Program Files\IBM\Notes\data\keyring.kyr" -p password

1a. KYRTool

    Download link:

    Place the KYRTool in the Notes program directory, as it relies on .DLLs installed by Notes.
    If you have the Notes/Domino program directory in your system's PATH environment variable, this can be installed to any directory.

1b. OpenSSL

    Download links for the Windows versions of OpenSSL are available at

    The light version of OpenSSL is sufficient for the tasks required for creating a SHA-2 certificate. v1.0.1j is the latest recommended release as of December 2014. Either the 32-bit or 64-bit version can be used if you are on Windows 7.
    OpenSSL may need updates to Windows Visual C++ libraries. If the libraries are not up to date, a prompt will display during the OpenSSL install noting that updated Visual C++ libraries are needed. Links for downloading these libraries are also on the download page for OpenSSL.
    A configuration file "openssl.cfg" will be extracted by the installer to the bin directory. In order for OpenSSL to read this configuration file, you must set an environment variable by running the following command from a DOS prompt

SET OPENSSL_CONF=\openssl.cfg
e.g. SET OPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.cfg

    You run OpenSSL from the "openssl.exe" file, which is found in the \bin directory of the OpenSSL install. Open a command prompt window in this directory to run it. If you double click on openssl.exe, it will open in a DOS command window. If you launch OpenSSL this way, you enter only the name of the OpenSSL function in the command window. For example, instead of typing "openssl genrsa..." you would enter "genrsa..."

2. Generate an RSA keypair using OpenSSL
[~]$ openssl genrsa -out server.key 4096

Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)

The resulting keypair should not be password protected. This isn't a good security practice, so only perform these steps for production systems on a restricted access system believed to be secure. The resulting keypair should look like the following:
[C:\] type server.key

[Many lines removed]

3. Generate a Certificate Signing Request (CSR) using OpenSSL

NOTE: If a config file for OpenSSL is not defined by an environment variable, a user may not be able to create a csr with the "openssl req" command, and will receive the following message when running the command. "Unable to load config info from /usr/local/ssl/openssl.cnf". See Step 1b above to resolve this.

This step prompts you for information that should be in your final certificate, bundles that up along with the public half of the RSA keypair that was just generated, and signs the whole thing with the private half of the keypair. In this example, everything was left blank except for the DNS name of the SSL test server. Note the "-sha256", as the default algorithm for current versions of OpenSSL is SHA-1.

[~]$ openssl req -new -sha256 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:.
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[C:\] type server.csr

[Many lines removed]

4. Acquire an SSL/TLS certificate from a third party CA

This process varies from CA to CA, but you generally copy the certificate request block from above into a web form and pick what signing algorithm you would like the CA to use. Feel free to select one of the SHA-2 algorithms (SHA-256, SHA-384, and SHA-512) -- the resulting keyring file will work just fine on any 9.0.x server, even those without the hotfix for TLS and SHA-2.

You will receive a certificate just like the one created in the self-signed steps. This can be displayed by using the "type" command from a command prompt or by opening the file in Notepad.

[C:\] type server.pem
[Many lines removed]

You may also receive some of the CA's intermediate root certificates. Also note that the file received may be a .crt instead of .pem. The .crt file will act the same as a .pem when you display it.

5. Create a new keyring file

At this point in the example, the Administrator switched from the Linux box where OpenSSL was run to a Windows box to use kyrtool.exe.

[C:\] kyrtool =c:\lotus\notes\notes.ini create -k c:\lotus\notes\data\keyring.kyr -p password
Keyfile c:\lotus\notes\data\keyring.kyr created successfully

2 [C:\Lotus\Notes\Data] dir keyring*
Volume in drive C is C_Drive
Volume Serial Number is 306D-00D5

Directory of C:\Lotus\Notes\Data

10/08/2014 02:15 PM 29,161 keyring.kyr
10/08/2014 02:15 PM 129 keyring.sth
2 File(s) 29,290 bytes
0 Dir(s) 400,743,673,856 bytes free

6. Import the RSA keypair and self-signed certificate into the new keyring file

6a. Concatenate server.key and server.pem into a single file:

This step varies from the self-signed case. You will have more than one certificate in your ".pem" file, and will want to place them in order with your server's SSL "leaf" certificate first and the root certificate last. Verify step 6b will check to ensure that the ordering is correct. If it returns any warnings or errors, edit the PEM file and verify it again.

Note the following:

    Certificate Authorities will frequently return a signed certificate in a .crt file. If they also provide the root certificates when returning the CSR file, then you can concatenate all of the .crt files to the private key by using the "type" command from a DOS prompt.

    The files should be concatenated with the server key first, the server's cert next, the intermediate cert next, and the root cert last. Concatenation can be done from a DOS prompt using the TYPE command. The type command takes a list of files, and appends them together into an output file designated with a greater-than symbol. For example, type server.key server.crt intermediate.crt root.crt > server.txt In this example "server.txt" is the file provided to the kyrtool for import into a Domino keyring. You can display this output file in Notepad.

    If the root and intermediate certs are not provided with the signed certificate, export the intermediate and root certificates by opening the server certificate with Windows Crypto Extensions. This will display the server in a three-tabbed user interface. On the third tab, select each of the signing certificates, select display, and then export that certificate using the "save to file" command on the second tab. Save each cert file using Base 64 format.

6b. Verify the Input file:

This is an example of a complete and correctly ordered PEM file:

[C:\] kyrtool =c:\lotus\notes\notes.ini verify c:\lotus\notes\data\ssl\server.txt

KyrTool v1.0

Successfully read 2048 bit RSA private key
INFO: Successfully read 4 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: IssuerName of cert 2 matches the SubjectName of cert 3
INFO: Final certificate in chain is self-signed

If you receive any ERROR: lines, you should resolve those errors before moving on to step 6c.

6c. Import the keypair and self-signed certificate:

[C:\] kyrtool =c:\lotus\notes\notes.ini import all -k c:\lotus\notes\data\keyring.kyr -i c:\lotus\notes\data\ssl\server.txt

Using keyring path 'c:\lotus\notes\data\keyring.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

7. Examine the resulting keyring file

[C:\] kyrtool =c:\lotus\notes\notes.ini show keys -k c:\lotus\notes\data\keyring.kyr
[C:\] kyrtool =c:\lotus\notes\notes.ini show certs -k c:\lotus\notes\data\keyring.kyr

8. Copy over your new keyring file and start the Domino server

Back up your old .kyr and .sth files, shut down the server, copy over your new keyring and stash files, restart the server, and check out the results!


Open Mic Webcast: iNotes Setup, Configuration & Troubleshooting

Join members of the IBM Support and Development teams as they discuss iNotes setup and configuration as well as troubleshooting techniques.

After a presentation, attendees will be given an opportunity to ask our panel of experts questions. Throughout the event, attendees will also be encouraged to comment or ask questions in the IBM Connections Meetings Web chat. Join us for this interactive, educational, lively session.


Topic: iNotes Setup, Configuration & Troubleshooting
Date: Wednesday, February 25, 2015
Time: 11:00 AM EST (16:00 UTC/GMT, UTC-5 hours) for 60 minutes

Further informations ( Dial-In numbers, ... ) can be found here.


IBM Connections mobile app V5.0 for Android and iOS

On December 31st IBM released the new version 5.0 of the mobile app for IBM Connections for Android and iOS including the following fixes:


LO80818 - Change the label Work to Work phone.
LO82462 - No entries shown in library.
LO82500 - The app crashes after concurrent deletion requests.
LO82859 - Uploading an image fails.
LO82916 - Can update a Profile picture even though AllowEditProfile is set to false.
LO82947 - Wiki_links do not work.


LO80818 - Change the label Work to Work phone.
LO82228 - Some labels are displayed in Iberian Portuguese instead of Brazilian Portuguese.
LO82462 - No entries shown in library.
LO82766 - Opening a file locks the iPad.
LO82848 - Save to Contacts does not work properly.
LO82857 - Uploading an image fails.
LO82923 - The InactivityTimeout does not work if you set it for 30 minutes or longer.
LO82947 - Navigation issue with Communities.
LO83001 - The app crashes when the configuration is saved.
LO83126 - Details of the selected Wiki are not loaded.