Friday, 15 August 2014

Configure Offline Replica for Notes Client

Instructions for Notes Client Configuration

Configure Local Replica:

This step will ensure that all the emails are downloaded and synced on local machine. Thus providing faster and offline access to emails. Once downloaded, emails can be instantly opened without relying on server connectivity.

Open the Mailbox and select any mail:

clip_image001[6]

Goto View menu and ensure that “Advanced Menus” is enabled/checked as shown in image below.

clip_image002[4]

Now, goto File -> Application --> “Make Available Offline..” option. It’ll be enabled only if Offline copy is not already been created.

clip_image003[4]

In the next dialog, click OK.

clip_image004[4]

This will create Local replica of your mailbox on your Notes Client. The process will run in background and may take few minutes to complete based on your mailbox size and network speed. For eg. If mailbox size is 100 MB, then you can calculate the time required to download 100MB file from internet. Once downloaded, only delta will be synchronized with server going forward.

To check the progress, open the Replication and Sync tab:

clip_image005[4]

There should be an entry with user’s name and Mailbox Icon as shown below.

clip_image007[4]

Location Settings:

Open Location Settings from Bottom Right corner of Notes Client:

clip_image008[4]

Edit the Location document for user.

clip_image009[4]

In the Edit Location Dialog, Goto 4th Tab - “Mail”

clip_image001[8]

Change Mail File Location to “Local”

Set Transfer outgoing mail if value to 1

clip_image002

Now open the Mail Icon from top bar in Notes Client:

clip_image013[4]

The Mail file opened now should show “Local” in Server Name space in Top left section of Mailbox:

clip_image014[4]


Faster Sync:

Goto File menu --> Preferences

clip_image015[4]

Goto Mail --> Sending and Receiving --> Receiving --> “Check for new mail every -- minutes”

Set the value as 5 minutes or as desired.

clip_image017[4]

Enable Schedule Replication:

Open the Replication and Sync Tab:

clip_image019[4]

Select “Enable Scheduled Replication/Sync” option to enable Scheduled replication.

clip_image020[4]

Open the “Set Replication/Sync Schedule..” option.

Enable Normal-priority Sync Schedule options as shown below.

clip_image021[4]

Scheduled Replication is more resource intensive as compared “Check Mail every xx minutes” setting mentioned earlier under “Faster Sync” heading.

Therefore, my recommendations would be not to use value of less than 15 minutes for scheduled replication. For “Check Mail every xx minutes” setting even 5 minutes setting is fine.

This document can be shared with all the End-users to let them configure the Notes Client and let them achieve the best and optimized performance from a fantastic platform !

Sunday, 6 July 2014

Customize Domino Login Form to allow only Email Address

Default Domino Login Form allows multiple variants of Username to login:

  • Notes Common Name
  • Notes Canonical Name
  • Notes Abbreviated Name
  • Email Address etc.

If administrator wants to restrict usage of email address only, then following customization can be used:

Assuming SSO is configured on Domino Server and Domcfg.nsf is deployed on server, we’ll create a custom login form:

  1. Open Domcfg.nsf in Domino Designer.
  2. Create a copy of “$$LoginUserForm” Form and rename it. For e.g. “DEMOLoginUserForm”.
  3. Open the newly created form and modify the “Username” field as shown below. Change the name of field to “User” in first and last tab of Field Properties.
    image
  4. Goto the “onChange” Event of “User” field and add following code:
    return onSelectEmail()
  5. Goto the “JSHeader” section of Form and add following code (Please update the domain name in code appropriately): function onSelectEmail(){
             if(document.getElementById('User').value=="") {
                 alert("Please enter username first");
                        document.getElementById('User').focus();
                        return false;
             }
                  document.getElementById('Username').value=document.getElementById('User').value+"@demo.com";
                  return true;
      }
  6. Add the Domain name in front of User field as shown in image above.
  7. Add following code as “Pass thru HTML” in the next line after User field:
    <input name="Username" id="Username" type="hidden">
  8. The form is ready now !
  9. Now open Domcfg.nsf in Domino Admin client and set the mapping for this new form:
    image
  10. That’s all !
    image

 

Let me know if you face any issues.. I’ll be happy to assist.

     

     

     

Monday, 3 March 2014

Configuring iNotes in a multiple HomeMail Server scenario with a WebSphere Edge reverse proxy server

This is draft to remember the points.. I'll update the article in few days..

Most important part is to enable Cookies with JunctionRewrite:

JunctionRewrite On UseCookie

Configuration of iNotes Web Redirect Database: Use the MailServer option and configure the Domain name and Proxy Server URL.
The problem with MailServer option in "iNotes Redirect" db is that it only changes the first URL.. The other subsequent HTTP request still try to connect the Proxy server without appending homeserver name, and the error will coming up in normal scenario. Now, with use of Cookie, ReverseProxy server remembers which server was last used.

Therefore, now with this setup the first request will go to Server1.
After authentication, iwaredir.nsf database will redirect the first URL to "http://server.demo.com/server1" OR "http://server.demo.com/server2" based on Homemail server.
At this moment JunctionRewrite will store the server information in Cookie.
All subsequent requests to server without "/server1/" in URL will still be able to reach the correct server because of this cookie.

My server setup: 
Proxy: http://server.demo.com
Domino1: http://server1.demo.com:81
Domino2: http://server2.demo.com:82

Following are the rules that I have used:

map /server1.demo.com/* /server1/*
map /server2.demo.com/* /server2/*

JunctionReplaceURLPrefix http://server1.demo.com/* http://server.demo.com/server1/*
JunctionReplaceURLPrefix http://server2.demo.com/* http://server.demo.com/server2/*

proxy /server1/* http://server1.demo.com:81/*
proxy /server2/* http://server2.demo.com:82/*
proxy /* http://server1.demo.com:81/*

ReversePass http://server1.demo.com:81/* http://server.demo.com/server1/*
ReversePass http://server2.demo.com:82/* http://server.demo.com/server2/*

Please let me know if you want more details on how to setup the Websphere Cache Proxy Server.

Reference:
1. http://www.ibm.com/developerworks/lotus/library/ls-Configuring_IWA_Edge_ReverseProxy/index.html?ca=drs
2. http://www.ibm.com/developerworks/lotus/documentation/apacherproxy4inotes/

Tuesday, 3 December 2013

Forgot password application for Domino sever

Forgot Password Functionality for Domino


Facing issues with installation ?? : Try the troubleshooting section at the bottom of this article.

Business Case:
This application implements the “Forgot Password” functionality for Domino. This feature is available today for almost any Web application which try to reset the password by sending notification to registered mail address. However, if you forget your Domino Webmail/Notes Client password, then you need to contact Administrators to reset the password. 
If the Organization has set the policy to change the passwords after every 60/90 days, then the password reset requests are more often. For a large Customer, we observed that around 60% Support requests are meant for Password Reset for Notes Client/Web Mail. 
This tools aims at minimizing such Support Calls by encouraging users to Register for Self Password Reset application. Users need to do one time registration and set their secret questions and answers. Once registered, users can use this application to Reset their Webmail/Notes Client passwords without engaging the Support team. 
Features of application:
- Reset password for both HTTP and Notes client (via ID Vault) in a single step.
- Front end application only consists of XPages design elements with total separation from data.
- No direct access to data via web interface/domino URL
- Secret answers secured with MD5 encryption.
- Forced  authentication for Registering/editing the profile.
- Used single XPage for password reset wizard with efficient use of Dynamic content control. Browser back button send use back to the start of wizard. Therefore, application having full control of flow.
- Lockout of Accounts and preventing unauthorized attempt to reset password. If tried to answer incorrectly more than 5 times. Lock-out is cleared automatically after defined interval via a Scheduled agent. 
Assumptions:
- ID Vault should be configured and installed.
- The Signer ID should have access to run XPages application and Password Reset Authority in ID Vault.
Application Architecture: 
wps_clip_image-21961
It consists of two NSF files: 
Front-End Application: The XPages frontend and the other one to store use profiles.
The first database contains configuration information to connect to second db. No other data is stored in it. It contains all the XPages design elements and is available for anonymous access use.
Back-End Data Storage Application: The second database contains all the registered user's profile documents. This database has no URL access and is only accessible by the front-end XPages interface. This approach avoids all URL based quirks to access data in NSF file. The user profile stores questions and secret answers as selected by user. The data is stored with MD5 hashing to ensure even administrators can't get access to user's personal information.
Application flow:
Step 1: Register your profile one time to select three questions from a admin defined list of questions. Provide easy to remember answers for the selected questions.
Step 2: If you have forgotten your password, then go to the application and proceed with password reset wizard. 
- It will ask first to verify email address 
- If the use profile is found for the entered email I'd, the application will prompt to provide answers for 3 questions. 
- If the answers match with the stored one in profile, user is allowed to provide new password. 
- The final screen provides confirmation message with results of password change process.
Installation Instructions:
- Download the application from project Download section and unzip on local machine. 
- Copy the two NSF files to your Domino Server’s Data Directory. 
- Sign the two databases with ID which has got rights to change password in ID Vault and can run XPages application on Server. 
- Open the resetpwd.nsf database in Notes Client and Modify the settings in Keywords view.
wps_clip_image-4648
n DATA_DB_PATH keyword specifies the path of ForgotPasswordData.nsf database. Please ensure a double “\\” to be added to path.
n The other settings specify the Domino Server names where ID Vault is located and where we would like to change the HTTP Password. 
n Few sample questions which can be easily customized in the QuestionList Keyword.
- Open the application resetpwd.nsf via Web Browser and check if it’s displaying the application HomePage. 
- Try to register a user’s profile and then try to reset the password for the same user. 
- The final screen will show status message of password change for HTTP and ID Vault. Fix the permission issues if any with ID Vault.
- Enable the Scheduled agent to Run on Server to UnBlock the profiles. This agent unlocks all such profile which were locked due to multiple failed attempts to reset the password. This is to avoid any person randomly trying to reset the password.
- Change Logos, Banner and Company Name in ccAppLayout Custom Control. 
wps_clip_image-14165


Let me know if any specific functionality is required to be added to the application.

Troubleshooting:

Pre-requisites:

1. This application require minimum Domino v8.5.3 Upgrade Pack 1 or Domino v9.0. It might not work with prior version of Domino, as advanced features of Extension library have been used.

2. Please ensure Session Authentication is Enabled on Domino Server.

3. Sign both the Databases with Admin Id. Signing with Server ID will not work.

4. Both user and server (on which application is running) should have Password Reset Authority with agent access.


Known errors and resolutions: 

1.  403 forbidden errors: 
User will get  403 forbidden error if a db is not signed correctly or user/server does not have access to run restricted agent. Therefore, ensure that both databases have been signed properly. Also, ensure that user has rights to run XPages applications on server. To allow user id being used for signing the db, add the same to server document under security--> programability restrictions.

2. Password reset authority errors: 
In ID Vault setup please make sure at the end there is @ shows up besides person and server name it comes up when put a tick mark
    In the right box, select an organization or organizational unit of users whose passwords will be reset.
    In the top, left box select the name of a user or server under which the application is authorized to run.
    Click "Add" to give the selected user or server name password reset authority for the organization or organizational unit highlighted on the right.
    If you added a user name, keep the user name highlighted on the right, and select "Self-service password reset authority."
Both user and server (on which application is running) should have Password Reset Authority with agent access.

Monday, 8 April 2013

iNotes Deployment in HA Mode with Multiple Clusters using Apache Reverse Proxy - Part 2

In continuation to my first post: http://xpagesera.blogspot.in/2013/03/inotes-deployment-in-ha-mode-with.html

In the last post, we tried setting up the Apache Reverse Proxy with Multiple Domino Clusters. Last week, we successfully implemented Apache Reverse Proxy in a unique way: 

Cluster size: 7 servers - 6 Mail Servers and 1 Admin Server. This setup ensures that all password changes are immediately available to all Servers. 

User's Mail file is available on either Server 1, 3, 5 OR Server 2, 4, 6. In this configuration 4 servers are in DC and 2 servers in DR. We want all traffic to land on Server 1 - 4 (DC). In case none of the DC Servers are available, then it should redirect request to Server 5, 6 (DR).

Instead of relying on the Domino Cluster Information, we have written Rules in Apache httpd.conf file to determine which Load Balancer Group a particular request should be redirected to. 

First, the formula used for Apache field in iNotes Web Redirect database: 

nodecookievalue:= @Name([CN];@NameLookup([NoUpdate];@UserName;"MailServer"));

clustercookievalue:=@DbLookup("":"";@Subset(@DbName;1):"names.nsf";"($ServersLookup)";nodecookievalue;"clustername");

nodecookie:=@SetHTTPHeader("Set-Cookie";"inotesses="+@LowerCase(nodecookievalue));

@Success

This field will write Cookie values inotesses: Mail Server Name in lowercase. 

Second, Check if below modules are present & loaded in Apache Reverse Proxy

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

Third, in the httpd.conf file, add Rules to redirect user request to only that server where user's mailfile is present.

<VirtualHost *:443>

ServerName webmail.demo.com

ProxyRequests off

SSLEngine On

SSLProxyEngine On

RewriteEngine On

SSLCertificateFile    /etc/apache2/ssl/webmail.crt

SSLCertificateKeyFile /etc/apache2/ssl/webmail.key

SSLCertificateChainFile /etc/apache2/ssl/chain.crt

ProxyPreserveHost On

<Proxy balancer://Cluster1/>

# loadfactor is added to ensure equal requests are sent to server01 and server02, while server03 will have lowest priority.

BalancerMember https://server01.demo.com:443/ route=server01 loadfactor=50

BalancerMember https://server03.demo.com:443/ route=server03 loadfactor=50

 BalancerMember https://server05.demo.com:443/ route=server03 loadfactor=1

ProxySet lbmethod=byrequests

</Proxy>

<Proxy balancer://Cluster2/>

BalancerMember https://server02.demo.com:443/ route=server02 loadfactor=50

BalancerMember https://server04.demo.com:443/ route=server04 loadfactor=50

 BalancerMember https://server06.demo.com:443/ route=server03 loadfactor=1

ProxySet lbmethod=byrequests

</Proxy>

ProxyPass / balancer://Cluster1/ stickysession=inotesses nofailover=Off

ProxyPassReverse / https://server01.demo.com/

ProxyPassReverse / https://server03.demo.com/

 

ProxyPass / balancer://Cluster2/ stickysession=inotesses nofailover=Off

ProxyPassReverse / https://server02.demo.com/

ProxyPassReverse / https://server04.demo.com/

 

RewriteCond %{HTTP_COOKIE} inotesses=server01 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster1/$1 [P]

 

RewriteCond %{HTTP_COOKIE} inotesses=server02 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster2/$1 [P]

 

RewriteCond %{HTTP_COOKIE} inotesses=server03 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster1/$1 [P]

 

RewriteCond %{HTTP_COOKIE} inotesses=server04 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster2/$1 [P]

</VirtualHost>

 

Now, Stop & start httpd service.

Monday, 11 March 2013

iNotes Deployment in HA Mode with Multiple Clusters using Apache Reverse Proxy.


High Availability for Lotus iNotes Installation
I am looking for various options available for achieving High Availability with Lotus iNotes installation. The article outlines the options available, work that Domino experts have done and the best option that suits my requirement.
Following available options are possible:
1. ICM (Internet Cluster Manager): ICM only provides initial redirect to correct Domino Web Server. But once user has opened a webpage and server goes down, user has to manually switch the URL to point to the other server or browse the ICM URL again.
http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/c1f2605b7be6a95985256b870069c0a8/36fd13678096637585256c1d0039a59b?OpenDocument
2. Hardware based Load Balancer
3. Software based Load Balancer: 
Following two options are possible with Domino: Websphere Edge Proxy Server and Apache Web Server. In this article, we'll use Apache Web Server for Reverse Proxy and Load Balancer configuration. 
Note: It seems like Daniel has already done all the hard work.. He has published a great series on the same topic !! The article is in Spanish, but can easily be translated in English via Google Translate. Please copy the code from Original version only.. 

I setup the following piece of code in httpd.conf: 

I setup two Domino Clusters as follows: 

Cluster1 - Server1, Server2

Cluster2 - Server3, Server4

 

<Proxy balancer://Cluster1/>

BalancerMember http://server1.demo.com:80/ route=Server1

BalancerMember http://server2.demo.com:80/ route=Server2

ProxySet lbmethod=byrequests

</Proxy>

 

<Proxy balancer://Cluster2/>

BalancerMember http://server3.demo.com:80/ route=Server3

BalancerMember http://server4.demo.com:80/ route=Server4

ProxySet lbmethod=byrequests

</Proxy>

 

ProxyPass / balancer://Cluster1/ stickysession=inotesses nofailover=Off

ProxyPassReverse / http://server1.demo.com/ 

ProxyPassReverse / http://server2.demo.com/ 

 

ProxyPass / balancer://Cluster2/ stickysession=inotesses nofailover=Off

ProxyPassReverse / http://server3.demo.com/ 

ProxyPassReverse / http://server4.demo.com/ 

 

RewriteCond %{HTTP_COOKIE} _clusterses=Cluster1 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster1/$1 [P]

 

RewriteCond %{HTTP_COOKIE} _clusterses=Cluster2 [NC]

RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ balancer://Cluster2/$1 [P]

Reference:

Monday, 7 January 2013

Lotus MailFile Template Modification: Prevent changes in received emails

 

In the default Lotus Notes Mail template, users can edit the received emails and modify the content. To prevent the same, following customization is required in template.
Edit "Memo" and "Reply" form in the designer                                

                                                                            
  change "QueryModeChange" event, by adding this code:                 
                 
  If  (Not source.editmode And source.document.HasItem("PostedDate"))   Then
       continue = False                                                         
       Exit Sub                                                                 
  End If                                                                    
                                                                            
Change "QueryOpen" event, and towards the top, add:                         
                                                                            
 If (Not (source.isnewdoc) And source.editmode ) Then        
     If (source.document.HasItem("PostedDate") ) Then           
          Continue = False                                          
          Exit Sub                                                  
     End If                                                     
 End If