Category Archives: domino

IBM Verse – The Commercial

I am told this will air during the NFL Playoffs this weekend, I guess I will just have to watch Football now this weekend 🙂

IBM Updates on SHA-2 and POODLE

Two new Technotes have been published

How is IBM Domino impacted by the POODLE attack?

The Short version it is and IBM will provide Interim Fixes for the following Domino releases:

    • 9.0.1 Fix Pack 2
    • 9.0
    • 8.5.3 Fix Pack 6
    • 8.5.2 Fix Pack 4
    • 8.5.1 Fix Pack 5

Planned SHA-2 deliveries for IBM Domino 9.x

The Short version

SHA-2 support for Domino 9.x is planned to be delivered over the next several weeks via an Interim Fix.

  • With this Interim Fix, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP. With a SHA-2 certificate in place, users will be able to use a browser to connect to iNotes, XPages, traditional Domino Web apps, and Sametime (based on Domino HTTP).
  • Once the Interim Fix is applied, browser users will not receive a security alert since Domino will be configured with SHA-2. Domino administrators will be able to import a 3rd-party SHA-2 cert or generate SHA-2 certs with the Domino Administrator client with Domino 9.x running the Interim Fix on all supported platforms.
  • As mentioned in the above section, the cryptographic infrastructure needed to provide these features was new to Domino 9.x. For this reason, we will not be able to support SHA-2 on Domino 8.5.x.

IBM Domino, Google, and SHA-1

There is a lot of talk these days about Google’s decision to accelerate the deprecation of SHA-1, and IBM Domino’s lack of support for SHA-2 .  Right off lets get this straight IBM absolutely should have plans to add SHA-2 support in Domino and an implementation date should be communicated ASAP.  At the same time the pressure should really be on Google to back down from what is an arbitrary deadline they announced out of the blue, and to support the previously announced 2017 date for the deprecation of SHA-1.

While it is easy to blame IBM here (and again IBM needs to communicate a date they will support SHA-2 in Domino) the immediate deprecation by Google is an arbitrary move that does not have a lot of support.

Some facts

  • Microsoft previously announced their plans to deprecate SHA-1 in 2017
  • Currently 92% of certificates on the Internet are SHA-1 signed
  • Google then decided to begin deprecating SHA-1 in November of this year
  • SHA-1 has not been compromised or hacked
  • Google as an Intermediate CA is issuing them with SHA-1 (but their deprecation policy exempts their own certificates)


Here is a statement from the CA Security Council 

Although the CA Security Council (CASC), comprised of the seven largest Certificate Authorities, supports migration to SHA-2, members are concerned about the impact on website users and administrators alike. Considering many users may still use software lacking SHA-2 support, primarily Windows XP SP2, and the still unknown impact on a complete SHA-1 migration, this 12 week timeline is aggressive. In addition, many devices still lack SHA-2 support, making necessary possibly unplanned and expensive upgrades.

With fall shopping season nearly here, this policy may be particularly concerning for small internet stores, which could be impacted just before the holiday rush. Because many large sites have lockdown periods leading up to the end of the year, companies that have not transitioned may find themselves restricted from making the move until January, or beyond, due to lack of SHA-2 support. Although a migration to SHA-2 is necessary as computing power increases, because of the significant impact in migration and the lack of a practical attack until 2018, the CASC members recommends thetimelines announced by Microsoft in November 2013, which deprecate SHA-1 in code signing certificates by January 1, 2016 and in SSL certificates by January 1, 2017.

If you want a clear explanation on all this, listen to what Steve Gibson has to say about it on Security Now (If it does not begin there automatically pick up the podcast at 48:37 for the SHA-1 discussion)

I’m Looking Forward to this

From my Inbox last night


IBM Mail Next 

IBM Notes and Domino 9 Social Edition Product Demo

Notes and Domino 9 Social Edition available for Download on March 21, 2013

Notes and Domino 8.5.4 Ship Date

Looks like the target to ship 8.5.4 has moved a little

Notes/Domino Fix List

Classic Domino Admin

This used to be a mainstay in my Notes client toolbar, and for some reason I forgot all about it, until someone was nice enough to remind me yesterday.

In preferences customize your toolbar and add a new button with a Formula of


Make sure that button is in a visible toolbar, and you now have an instant classic domino remote console

remember when life was so simple

I am sure this is documented elsewhere, but leaving it here as a reminder to myself.


Can Fix Packs be installed over Upgrade Packs?

I hear this question frequently with Domino 8.5.3 now having Upgrade Packs and Fix Packs available

Technote 1590268: Can Fix Packs be installed over Upgrade Packs?

Exlcuding a Specific NSF File from Compaction

This one is new in Domino 8.5.1 and later, but I just came across it the other day.

You can use COMPACT_FILTER= followed by a comma (or semi colon) separated list of databases to exclude from Compact when it is run server wide or against a specific directory

a very helpful notes.ini parameter












Technote 1415204: COMPACT_FILTER – notes.ini parameter to prevent compaction of specified files

Your Domino Server Console will Never Look Same Again

If you have ever opened a PMR for a Domino server crash or hang you are familiar with the debug_threadID notes.ini parameter.

For a while now I have enabled this by default on all of my Domino servers, the only real downside is a slightly busier server console, and more information in the console.log. The upside is more information available to support when it’s needed.

In Domino 8.5.3 debug_threadID is now enabled by default, you can still choose to disable it, but I would recommend leaving it enabled.

Technote 1567602:Lotus Domino 8.5.3 ships with Thread ID debug enabled by default