PlanetNTF

Almost a month ago, we introduced the first Domino v12.0.1 beta program and we received a lot of participation from customers, ambassadors, and business partners.

Now, we are pleased to announce Domino V12.0.1 Beta 2 Program.

Your input is essential to how we develop our products — and we will continue to listen to you every step along our roadmap. 

Highlights of Domino v12.0.1 Beta 2 Program: 

Domino 

• iNotes ID files in mail files no longer used for vaulted users
• Certificate Manager enhancements include Certificate import and export as well as Micro CAs. See Certificate Manager enhancements
• One-touch setup enhancements include TLSSetup and directoryAssistance objects supported for serverSetup. Also, a tool to validate a JSON configuration file. See One-touch setup enhancements.
• Auto-processing of rename requests
• Mail routing between Domino and domains with Internationalized Domain Names (IDNs)
• DKIM signing for messages routed to external Internet domains
• Backup and restore now supports integration with a third-party restore application. There are also improvements to multi-restore operations. For more information, see Backup and restore enhancements
• New Updall options
• Compact enhancement 

Domino Designer  

• New methods for DQL named results
• New method to saved sorted QRP results to a results view
• New methods for named documents 

Apart from above highlights, we have made minor changes and performance improvements.

To see the full list, please refer to Domino v12.0.1 Beta 2 release notes.

Beta participants, please let us know how you think about the product by submitting your feedback in our beta forum. For general input and new ideas or feature enhancement requests, please use the Domino ideas forum here.

Thank you for your participation and your passion for HCL Domino! #dominoforever

HCL Domino Product Team 

After the successful launch of HCL Domino v12.0 in June 2021, we are approaching the next milestone: We’re happy to announce two new beta programs at once, HCL Domino 12.0.1 and HTMO 3.0.3 have both launched a Beta Program today!

You are invited to join the beta program to test our latest release and provide feedback to development teams.  

We’re calling on our community to share open, effective, and thoughtful review and testing of our software product. Your input is essential to how we develop our products, and we will continue to listen to you every step along our roadmap. 

What you can expect from this first beta of Domino v12.0.1:

HCL Notes Client

Domino Online Meeting Integration

The Notes Client 12.0.1 is providing native integration of online meeting platforms like Zoom, Webex, GoToMeeting, Teams and of course Sametime Meetings. So, from within the Notes calendar users can now more easily schedule online meetings on their preferred platform without having to install a plug-in.

Improved Workspace Design with High Resolution Icons

The new Notes client is finally allowing to use high resolution icons for your databases, which makes a big difference to the look and feel of your workspace! No need to stick to small and old style 32×32 pixel database icons anymore.

We have already updated our standard templates with new icons, will you update yours?

Advanced Properties Box

You have asked for it, we have delivered: an all-new and resizable document property box:

Thanks to Panagenda, the new “advanced properties” box allows to search for field names or values, it also provides the requested ability to copy to clipboard or export to a CSV file:

What’s new in Notes v12.0.1?

https://help.hcltechsw.com/notes/beta/12.0.1/whats_new_01.html

HCL Domino Designer

We have already provided a 64Bit Notes client (in beta as of now), and based on your request are now providing a 64Bit Domino Designer client.

Also, Domino Designer v12.0.1 provides the ability to include high quality icons for rendering and enables developers to optimize the database full text index by defining which fields to be included in the index — a feature that many customers were requesting (see this idea).

What’s new in Domino Designer v12.0.1?

https://help.hcltechsw.com/dom_designer/beta/12.0.1/basic/whatsnew1201.html

HCL Domino Server

For the Domino server a number of enhancements are waiting for you:

• One-touch Domino setup with the ability to register users automatically
• Certificate Manager is now integrated and does not require the DSAPI filter configuration anymore
• Domino Directory template was cleaned up based on your request
• Updates to the QVault tool for better manageability of ID’s in the Vault
• Compare DB’s – a new template for developers to compare the design elements of two apps with each other
• Entitlement Tracking now providing monthly reports 

This is just the first beta drop! We are going to release even more features in the next stage of the beta program.

What’s new in Domino 12.0.1?

https://help.hcltechsw.com/domino/beta/12.0.1/wn_12.0.1.html

HCL Traveler for Microsoft Outlook (HTMO) 3.0.3

HTMO in version 3.0.3 is providing the following new features:

• Full support for delegated access (mail, calendar, contact)  
• Improvements to the out-of-office user interface 
• Performance improvements 

What’s new in Traveler 12.0.1?

https://help.hcltechsw.com/traveler/beta/12.0.1/new_server_features_12_01.html

What’s new for Microsoft Outlook support

https://help.hcltechsw.com/htmo/beta/3.0.3/whats_new_outlook_support.html

…and a number of minor changes and performance improvements.

For a complete list of changes and improvements, please refer to Domino v12.0.1 release notes.

How to Participate in this Beta?

Customers with a current entitlement to Domino can find the software packages for both beta programs on Flexnet.

Beta participants, please let us know how you think about the product by submitting your feedback in our beta forum. For general input and new ideas or feature enhancement requests, please use the Domino ideas forum here. 

Thank you for your participation and your passion for HCL Domino!
HCL Domino Product Team 

 

 

Over the past year, HCL Digital Solutions has been on a journey to consolidate our customers’ HCL Domino licensing around our modern, per user, licensing model – HCL Domino Complete Collaboration Business Edition (a.k.a. “CCB”) including unlimited Guest Users, and the additional external user capability under the HCL Domino Complete Collaboration eXternal User (a.k.a. “CCX”) entitlement. 

The majority of our customers are now licensed under this model. With the upcoming HCL Domino V12 release, we are further enhancing the CCB/CCX entitlements as described below.  

Additionally, with the release of HCL Domino V12 we are aligning all Domino products on consistent license terms, which will be available imminently and include the compliance rules outlined in “HCL Domino Support Update” from February 3, 2021. 

CCB Recap: Simplifying HCL Domino Licensing

CCB is the key step in our journey to provide one license model for HCL Domino, eliminating the uncertainty of server capacity and sub-capacity (PVU) licensing and ambiguous entitlement rules. 

• A simple “Per User everything model” – use any client and any protocol for any server capacity to run all applications – including enterprise e-mail. 
• Transparent license compliance management by simple user counting. 
• Adding additional capabilities to the core Domino environment under CCB entitlements from V12 – for example HCL Nomad for Web Browsers and HCL SafeLinx. 

CCB entitlements are needed for all employees and contractors of your enterprise needing access to your Domino CCB servers – covering all B2E (Business-to-Employees) scenarios. All CCB entitlements include unlimited external web user access as needed for most B2C (Business-to-Consumer/Citizen) scenarios: 

• Guest: unlimited anonymous browser users can freely access your Domino based websites. 
• Known Guest: unlimited registered users with credentials to log-in and access applications limited to being a “Reader” with permission to “write public documents” (controlled by Domino application access [ACL] – see Known Guest Use Cases later in this blog post).

For B2B (Business-to-Business) or advanced B2C scenarios, where the external users need to fully engage in applications beyond the access permitted for Known Guests, we introduced the CCX entitlement as an add-on for CCB licensing. (See “Introducing CCX, External User Entitlements“ from September 23, 2020.

Extending CCX entitlement to address additional use cases

CCX users have full functionally to use Domino or Domino Volt [see below] applications and workflows but cannot create applications themselves. CCX users do not have a personal mailbox but can use task/functional mail for workflow routing or applications generating mail.  

The CCX Authorized User entitlement is unique, however, can be reassigned after 30 days of inactivity.  Consequently, some former Domino Utility Server B2C use cases can now be easily changed from trying to manage/throttle server PVU consumption, to simply ensuring adequate CCX entitlements for actual/expected external users in any 30 day period, with little or no change to existing apps.  See later in CCX Use Cases. 

CCB Recap: Add-on features for CCB licenses

HCL will continue the “add-on” scheme for CCB licensing, which now includes: 

• HCL Domino Volt can be licensed to all CCB users.  Licensing HCL Domino Volt as an add-on, includes all CCB and CCX users, as well as enabling use of HCL Enterprise Integrator, HCL SAP Connector and HCL Link on all HCL Domino servers under CCB entitlements. 
• HCL Sametime Premium: special add-on price for CCB users to upgrade from HCL Sametime Premium Limited Chat to full capabilities.  

CCB Recap: Access to Domino Servers Licensed under CCB

HCL Domino Servers deployed under CCB Authorized User entitlements can only be accessed by the Licensee’s Enterprise entitled CCB Authorized Users, Guest Users, and CCX Authorized Users. No other user access or Domino Client Access Licensing are permitted access to CCB licensed servers.  In addition, the Servers may participate in mail routing (SMTP), directory lookup and authentication (LDAP) for non-HCL Domino programs and permit access to free/busy time information. 

Known Guest Use Cases (general B2C)

A Known Guest, as seen from an application, is an authenticated (must be identified) external user listed in the application access control list (ACL) with Reader permission and permitted to write public documents.  This access is either granted on a named user basis or by the user being a member of a group or generic association in the ACL. 

Content tailored to individual users, subscribing to information

Any Known Guest in an application can read all non-restricted documents in the database and download any attachments from these.  Access to specific documents in the database can be controlled by adding users/groups in the ”Reader Name Field” for the document(s). As a result, only the appropriate Known Guests can read/download content.  If you have a special Interest Profile or similar for the users, this can be used to filter the information available to relevant individuals. 

Submitting a form, starting a workflow, creating content

If a Known Guest is flagged as permitted to “Write Public Documents” this user will be able to see all Forms/actions in the application which are enabled as “Available to Public Access Users”.  
For example, using a Form called “Create Interest Profile”, which the user would complete and save to create a special Interest Profile or tailor a mailing list.   

Hints for the Admins/Developers: The Save Process can turn off the “$PublicAccess=1” flag to prevent the Interest Profile from being visible to all users of the app, but still available for the app and the originator to access appropriate content. 

 If/when the Known Guest wants to “Update Interest Profile” later, another Form will be used presenting the update options, maybe pre-populated with some of the existing information, and then processed as above. 

Hints for the Admins/Developers: The Known Guest cannot update the initial document directly (being “Reader”), but the app could include a background Agent to manage updating/merging the content. 

When B2C requires higher level of access than the Known Guest

The above simple rules should permit implementation of most B2C use cases, however, HCL have found a number of existing B2C apps hosted on Domino Utility Server which do not adhere to the above rules. HCL has decided to enable the reuse of these apps rather than mandating a rewrite (which you can of course always do). This is accomplished by relaxing the usage requirements for the CCX entitlement and permitting an entitlement to be reassigned after 30 days of inactivity.  See examples below. 

CCX Use Cases

A CCX Authorized User as seen from an application is an authenticated (must be identified) external user listed in the application access control list (ACL) with a maximum permission of Author. 
This access is either granted on a named user basis or by the user being a member of a group or generic association in the ACL. Any of these authenticated users can contribute documents to a Domino app/database, and edit own or other designated content. 

Some CCX B2B users will have a permanent, continuous, use of applications under the CCX entitlement.  
In B2C scenarios, with full use of app capabilities, user access is more sporadic. HCL have found that many customers with Domino Utility Server licensing, largely ignored the volume of users that were created as the user count was not a factor in licensing. These same customers struggled with server sub-capacity PVU management under fluctuating capacity needs and often had to throttle use to stay within licensed capacity (PVU) limits for their B2C apps, resulting in reduced customer satisfaction. 

Most applications written to work on a Domino Utility Server (using Author access) are now viable to deploy under CCX licensing, unchanged, by licensing the maximum volume of expected/planned users for any 30 day period. HCL still recommends that you optimize your B2C apps for the Known Guest model, which is included, with no limits, with even a single CCB entitlement. 

 Two examples of how to use short term/occasional external user engagement apps under the CCX model

Example 1: Job Postings

New Applicants register for web credentials and submit an initial Job Application Package.  They then: 

• Update Packages during interview cycles and eventually progress into on-boarding workflows 
• If not on-boarded, Job Application docs still exist and can be resumed/updated later by Applicants 
• When there is no activity with a particular Applicant for 30 days, the CCX entitlement can be reassigned to another Applicant/External user – effectively, you need entitlements for any active/expected users within any 30 days period. 

Example 2: Citizen/Government Interactions 

Many countries are creating authentication facilities for citizens based on government issued individual credentials.  Any user based licensing counting all permitted users, would be totally prohibitive for using these public IDs.  However, many apps exist or are being written to submit public forms, to obtain information from Government/Municipalities, etc under the Government ID: 

• The revised CCX is perfectly designed for many existing apps coded for user permission as Author. 
• The app must use the Government provided means of authentication, and then have appropriate ACL set-up to allow these external users access up through Author for the app.  Data can be kept around as app scenarios dictate, and user affiliation with the app likewise.   
• If there is no activity with a particular CCX Citizen for 30 days, the entitlement can be reassigned to another Citizen/External user – effectively, you need entitlements for any active/expected users within any 30 day period. 

 Both of these scenarios could, generally, be written/updated to work within the Known Guest model.

Aligning all Domino V12 Licenses

HCL Domino V12 products will be provided to customers on active Support consolidated under the four categories and License Information documents below.  Note, that all current entitlements, support subscriptions and part numbers remain unchanged. 

Program Name:  HCL Domino Complete Collaboration Business Edition 12.0 includes: 

• HCL Domino Complete Collaboration Business Edition 12.0 
• HCL Domino Complete Collaboration External User 12.0 
• HCL Nomad for Web Browsers (eliminating desktop upgrades for the future) is a supporting program uniquely provided with the CCB entitlement from V12. Any customer needing this feature must migrate to the CCB/CCX license model. 

 Program Name:  HCL Domino Enterprise 12.0 consolidating the following 3 models: 

• HCL Domino Enterprise 12.0 Client Access 
• HCL Domino Enterprise 12.0 Processor Value Unit  
• HCL Domino Collaboration Express 12.0 

 Program Name:  HCL Domino Messaging 12.0 consolidating the following 3 models: 

• HCL Domino Messaging 12.0 Client Access 
• HCL Domino Messaging 12.0 Processor Value Unit  
• HCL Domino Messaging Express 12.0 

 Program Name:  HCL Domino Utility 12.0 consolidating the following 2 models: 

• HCL Domino Utility 12.0 Processor Value Unit  
• HCL Domino Utility Express 12.0 Processor Value Unit 

Acquiring Entitlements and Support for above products is fully supported for CCB/CCX and for all other products as described in “HCL Domino Support Update” from February 3, 2021, under the following rules: 

• No partial renewals permitted for any licensing. 

• For HCL Domino Enterprise Client/Server:  If the current configuration is compliant for both client and server side, Support can be renewed as-is, or you can migrate to CCB, cost neutral.  In all other circumstances, to renew or adjust volumes, HCL require that you negotiate a migration to the CCB/CCX license model.  
• For HCL Domino Collaboration Express:  A compliant configuration can be renewed as-is, or you can migrate to CCB on attractive terms.  HCL also recommends migrating to CCB to increase footprints, or to take advantage of HCL Domino Volt, however, you are permitted to acquire additional perpetual entitlements for a compliant configuration. 
• All compliant standalone Utility Server entitlements can be renewed as-is (use of Domino Designer requires appropriate Domino Enterprise Client Access licences). To increase footprints, HCL require that you migrate to the CCB/CCX license model, which now supports all Utility Server use cases. 
• For HCL Domino Messaging product models: A compliant configuration can be renewed as-is.  Also, you can increase the footprint for a compliant configuration by acquiring appropriate new entitlement parts. 

 HCL has updated all formal HCL Domino V12 License Information Documents now available here. 

Managing the upgrade/coexistence scenario from Domino Utility Server to CCB/CCX

An existing Domino Utility Server PVU or Utility Express PVU configuration with appropriate Domino Enterprise Client Access licenses for app maintenance can be renewed as-is.  However, many customers want to grow their application volume (hence, deployed server capacity) or want to take advantage of moving to CCB/CCX and the CCB add-on capabilities.

If you replace your Utility Server Support Subscription with appropriate CCB/CCX Authorized User volume to cover the current users, you can leave the installation as-is and just use your new CCB licensing.

If you need to maintain coexistence between Utility Server and CCB environments, you need to observe the following guidelines: 

• Any entitlements included with CCB are only available to the CCB environment, e.g. Safelinx/Nomad Web. If HCL Domino Volt was added to CCB, the HCL Enterprise Integrator, HCL SAP Connector, and HCL Link are only available for the CCB environment.  
• Any existing HEI/SAP Connector in the Utility Server environment must be continued/renewed as-is and cannot be replaced by the CCB entitled programs.  
• Users defined on Utility Servers must be on the Denied Access List for all CCB servers to separate them from CCB licensing counts, whereas any CCB user is permitted access to the Utility Servers. 
• The V12 Entitlement Reporting Tool provides a report for all of your Domino Domains, however, you can drill down on specific servers or groups of servers to understand user volumes by server. 

This announcement further enforces CCB/CCX as the licensing platform for Domino customers, allowing all customers to upgrade to CCB and with CCB as the only model for all new customers.

If you have any questions about this blog post and announcements or have any licensing questions, please contact your HCL product specialist or Business Partner. 

 Useful Links:  

• HCL Software License Information Documents
• HCL Domino V12 Entitlement Tracker Tool
• Learn about Domino Access Control Lists (ACL) 

 Related Blog Posts:

• HCL Complete Collaboration (CCB) Guest Licensing
• Licensing Update: Introducing CCX, External User Entitlements
• HCL Domino Volt: April Release with New Integration Possibilities
• Exciting New HCL Sametime Features Released Today
• HCL SafeLinx 1.1 included with CCB  

Frequently Asked Questions

Updated since September 23,  2020, “Introducing CCX, External User Entitlements” 

Q: How are CCB/CCX users counted?

A: The Domino V12 Entitlement Tracker Tool produces an internal report to assist you with license compliance. (This report is not collected by HCL) 

• You simply count the entries across all Domino Directories and Authentication Sources permitting users to log-in.  The count of credentials permitting log-in equals the number of Authorized Users. 
• Keep separate track of “external” users and exclude from the CCB count.  A user on all Denied Access Lists are excluded from the counts. 
• CCB includes an unlimited entitlement for Guest users. If logged-in Known Guest user credentials are included in the Domino Directories identified/separated out as “guests”, simply exclude from CCB/CCX counts. 
• Needed CCX entitlements are established from the maximum number of log-in’s used or to be used in any 30 day period.  

• CCB and CCX can reside on same server or as administrator decides – counting is always across all Domino Directories in Licensee’s enterprise.   
• No employee or contractor in Licensee’s Enterprise can be a CCX or Guest user.   
   

Q: I am using an earlier Domino license model. How do I switch to CCB/CCX?  

A: CCB licensing is a superset of prior Domino licensing. When CCB licensing is established replacing active Domino licensing, CCB can provide the entitlements that were in place for the Domino Servers and various clients. To support the user constituents, you may need both CCB/Guest and CCX entitlements to match your current use cases, but you can continue to use deployed software. In most cases, if you have a compliant installation, the move to CCB is cost neutral. 

Q: I just need Domino apps, no need for mail or other features. 

A: Mail routing is intrinsic to Domino and to many apps that run on the platform. For simplicity, the full mail application is included with CCB and functional/workflow mail is included with CCX – both HCL Verse, the traditional Notes user interface, and mobile access. The mail function is always part of your entitlement, whether you use it or not. 

Q: Can I still just license mail? 

A: The mail-only licensing of Domino Messaging CAL/PVU, Messaging Express is still available. However, you can fully replace your mail entitlements with CCB and include Domino Volt to gain significant additional value for your users. (See also Aligning all Domino V12 Licenses in this blog.) 

Q: What is included with CCB and what are add-ons? 

A: The CCB license includes entitlements to  

• HCL Nomad for Web Browsers for all CCB/CCX users 
• HCL SafeLinx  for all CCB servers and CCB/CCX users  
• HCL Sametime Premium Limited Chat 
• You must have a CCB license to enable any code install/download & product support for the above functions. 

Add-ons include:   

• Full HCL Sametime Premium at a special, reduced, price 
• HCL Domino Volt for all CCB users at a simple uplift (which is also extended to all CCX users for no additional charge).  The HCL Domino Volt add-on includes HCL Enterprise Integrator, HCL SAP Connector and HCL Link which are entitled for all CCB entitled servers with Domino Volt 
• CCX on a per External User basis as described elsewhere in this blog. 

Q: What is a CCB user permitted to do? 

A: CCB users are entitled to all aspects of Domino applications and enterprise e-mail and purchased add-ons per above, without license restrictions on what users are permitted to do. CCB users can create and participate in apps and workflows to any level set by their Domino Administrators. 

Q: How do you restrict CCX and Guest users’ access to an application? 

A: Based on your settings in the Domino “Access Control List” (ACL) – all Domino databases/applications have an ACL which maps access levels to users. The access level is a classification limiting which tasks a user can perform in the database  – Manager, Editor, Author, Reader, Depositor, No Access – these classes are just labels, not verbatim. To fully understand permitted use cases, refer to the product documentation on ACLs found here  
Learn about Domino Access Control Lists (ACL). 

Hints for the Admins/Developers: Existing apps and standard templates may need customisation to support Known Guest users (free with CCB), whereas CCX users should have appropriate support with no changes to apps. 

Q: Why is a CCX user permitted ACL level up to Author? 

A: CCX users can fully participate in, and use (not create) Domino apps and workflows (including Domino Volt if added to CCB.)  The maximum ACL level allowed is “Author” access, which is typically assigned to users who need to contribute documents to a Domino database – and authenticated users can edit their own and other designated content.  
CCX is for authenticated, external users only and not permitted for any employee or contractor in the Licensee’s Enterprise. 

Q: Why is an anonymous Guest permitted ACL level up to Author? 

A: Anonymous Guests are web users, who beyond browsing a web site are permitted actions like submitting a contact form, participating in a web survey, posting anonymous blog content, etc. “Author” access is typically assigned to users who need to contribute documents to a Domino database just like CCX users, however, being anonymous they cannot edit any content, nor access individualised content and no details are retained as to who contributed to the database. 

Q: Why is a logged-in Guest only permitted ACL level up to Reader? 

A: Under ACL control, “Reader” access allows controlled creation of documents by using public access forms. Logged-in Guests authenticating with HTTP/LDAP are typically a dynamic, ever increasing volume of users visiting your web site, registering to gain access to community content, special interest forums, initiating workflows, etc.  “Reader” access is typically assigned to users who are only permitted to read documents in a database and/or using public forms to create documents. This case is for authenticated, external, limited use only, and not permitted for any Employee or contractor in the Licensee’s Enterprise.  
For external users needing any higher level of access, you must purchase CCX entitlements. 

Disclaimer – HCL’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at HCL’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard HCL benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multi programming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.  

While no platform is immune to the possibility of hacking, the question I would pose is: Has your Domino infrastructure ever been hacked?  Didn’t think so. It’s probably boring to say that the most straight forward answer is HCL Domino is rock solid on security.   When set up correctly and optimised, HCL Domino is the most secure platform of its type.  It’s true though.  Reliable and secure is a good thing. A very good thing. 

The HCL Domino v12 beta is out now.  If you haven’t already tried it, it’s free for all existing licensed Domino customers.  It’s waiting there in flexnet for you to download and try it out!  It’s the first time a beta of this type is in existence and it has multiple interactions (we’re currently on beta 2; beta 3 is scheduled for the end of March. Register here to join us for the beta 3 webinar.

What I really love about it is the almost instantaneous feedback from the beta forum, from those in charge of development.  Domino v12 is scheduled for full release in Q2 of this year.  (June 2021 timeframe is given at the moment).

Read an overview of what’s coming here.

Here’s is a list of all the NEW NATIVE security features coming in Domino v12 and there’s a whole host of them:

• Automating certificate management 
• Time-based one-time password (TOTP) authentication 
• Enforce internet password lockout based on IP address 
• TLS 1.0 is disabled by default 
• Support for PEM-formatted TLS host keys and certificates 
• Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
• New template signing ID uses 2048-bit keys
• NRPC port encryption supports forward secrecy using X25519
• Import internet certificates that contain unsupported critical extensions
• Suppress key rollover alerts during ID vault synchronization
• New Query Vault command options
• Support for SameSite cookie 

Also note native support for DKIM is planned in the 12.0.x timeline. (Again natively, you can achieve DKIM with third party mail gateways).

We could argue about which are the best and more important ones here, but I’m going to concentrate on the 4 new security features in Domino v12 that you’re going to want to implement straight away:

1. Automating certificate management 
2. Time-based one-time password (TOTP) authentication
3. Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
4. NRPC port encryption supports forward secrecy using X25519 

Note: these are all based on current plans at beta 2, some of these will be subject to change (for the better) come beta 3 and GA.

What is it?
Automating certificate management?

What does it give you?

This topic could probably be four killer new features in one on its own, because it includes so much.

The short answer here is it takes something that was a headache to most admins and makes it completely seamless and automatic. It also includes support for ECDSA which is very progressive in terms of offering support for cutting edge security (some browsers don’t even support it yet).

In order to explain the context here, we probably need a short history lesson on cert management in Domino.  Prior to SHA-2 being the supported, Domino managed certs via a Domino database. It did exactly what it said on the tin and was never really updated from the time of release. But it worked. There were only four steps listed in the database. Some customers did find it fiddly.

Then SHA-2 support for Domino came out and admins did not like how this was implemented.  Again, it’s Domino, so it was secure, and it worked, but the process was a headache.  I have to admit for 99 percent of our customers, I just did it for them to save them the hassle so I got used to it.  But you did need a kyrtool, you’d need to install Openssl, you’d have to copy and paste various commands, copy parent and intermediate certs into text files.  It was messy to implement.

Well that’s gone.

What’s in its place is the most straight-forward solution one could imagine.

Let’s Encrypt offers free third-party SSL certs.  They’re currently the most widely used Certificate Authority in the world and work with all major browsers (they’re sponsored by some of them).

You can now get Let’s Encrypt Certs in Domino, by filling in a couple of fields in a form.  In short saying, “I want a cert for my website.  Give me one now.”  And it will give you one straight away. In seconds, your web server will be running with that cert.  A new task called CertMgr manages it all.

“It can’t be that easy,” I hear you say.  Well, in most use cases, it is.

Wildcard certs are slightly different, but again it’s as easy as it can be.  Other third-party certs are still 100 per cent supported, and easier than ever to implement with the Certificate Store.

Another point you might have missed around this is CertMgr supports Elliptic Curve Digital Signature Algorithm (ECDSA) using the NIST P-256 and NIST P-384 curves.  Not all browsers support this yet (most do), but in short it has the potential to give quicker and more secure TLS connections and shows that HCL are ahead of the curve #badnerdpun.

How do you implement it?

There are a lot of options available here but I cannot over emphasise how straight forward this is to implement.

CertMgr runs as a task. The first time you load it builds a back-end Domino database.  The database has intuitive forms but there’s documentation just in case.  You create a free account with Let’s Encrypt with a couple of clicks within the database.

I don’t want to get too bogged down in the detail here, because you don’t actually need to know the back ground details, but there a couple of ways Let’s Encrypt will verify you’re the owner of the domain, either by HTTP response (the most straight forward I think, but requires that the server can initiate outbound HTTPS requests – even temporarily to Lets Encrypt) or via DNS Response.

The HTTP response in particular is VERY easy to setup.

Third party certs are managed via the database, so you won’t have to fiddle about with openssl and the kyrtool.

ECDSA is a more complex subject, but the steps to implement are relatively straight forward here, the main complicating factor here is managing browser support, there’ll be more of this in beta 3 (thanks to Daniel Nashed for answering some of my basic questions on this.  Follow Daniel’s blog for more expanded detail on these subjects).

What is it?

Time-based one time password (TOTP) authentication

What does it give you?

Firstly, the obvious point here is you’ve been able to do TOTP in Domino for a long time, but it required third party software or appliances.  Here we get TOTP natively within Domino.

What is TOTP? Well, it’s two factor authentication based on a time based password that changes.   You put an app on your device that manages a six figure pin that changes every 60 seconds and it associated with a specific account.

Here you can deploy here with any number of apps (I’ve used Google Authenticator and OpenATP with Domino12 extensively for a couple of months and both have worked perfectly).

How do you implement it?

It’s easy.

You set up a trust relationship with your ID Vault and TOTP.

You enable it on the configuration settings document and then either web site, server or virtual server document.

You’ve to do a once off configure on the login form (but there’s a template for you to use, so it’s two minutes work for a non-developer).

Restart Domino and you’re ready to go.

Each user does a self-enrolment process the first time they connect which is intuitive, and takes no more than a couple of minutes.

There’s more functionality coming on this with Directory Assistance and managing multiple domains so watch this space.

What is it? 

Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy

What does it give you?

Better performance on Perfect Forward Secrecy.

Perfect Forward Secrecy has been available since Domino 9.0.1 FP3 IF2.  It gives assurances session keys will not be compromised.

This new set of two new elliptical curves (once forward secrecy is set up) can offer better performance.  The two new curves are X25519 and X448. 

How do you implement it?

You do nothing. If you don’t want it you need to actively turn it off with a notes.ini setting. Domino 12 will attempt to use supporting curves in the following order

1. X25519 
2. NIST P-256
3. X448
4. NIST P-384
5. NIST P-521 

What is it?

NRPC port encryption supports forward secrecy using X25519

What does it give you?

This sounds very similar to the last one, but there’s a whole lot more to unpack here.  These are for Domino to Domino connections over port 1352 or Notes client to Domino connections over port 1352.

So if you’ve ports with encryption turned on (which nowadays we are recommending to everyone), with Domino 12 the level of encryption increases from:

• 128 bit AES-GCM for network encryption and integrity protection and 128 bit AES tickets 

 To: 

• 256 bit AES-GCM for network encryption and integrity protection, X25519 for forward secrecy, and 128 bit AES tickets.

Basically stronger, encryption, better protection for sessions with forward secrecy and a curve that gives the best performance.

How do you implement it?

This is one of those points of different between Domino and Notes clients and ANY other technology.  (i.e. as opposed to the Office365 hacks, which are being put down to weakness in how Microsoft authenticates out of box).  Certs are baked in.  Basically if you have port encryption turned on, this will turn on by default.  If you don’t have them, turned on you can just enable encryption on the ports (for all inter server traffic), and via a policy for Notes clients.

In any other technology this would be so much more complex to do.  You’d need multiple devices to manage the connections, you’d have to change the port numbers, probably have to allow that port in a firewall plus you’d need to manage certs with third parties.  With NRPC, you’re already using certs to connect in so it’s just saying encrypt the port.  The same port (1352) is in use whether encrypted or not encrypted, so no further changes are required on the network or firewalls etc.

Oh and that’s only NEW and NATIVE features in Domino 12.  I just have to mention one more briefly that is no-charge to all entitled CCB customers. It’s HCL SafeLinx.  It is already available and in the wild.  It supports both HTTP and Notes port connections out of the box as a reverse proxy.  If you already user HCL Nomad you’ll probably know about it.  Later this in 2021, HCL Nomad Web will be out and you’ll look into this more then. (It can also be used for Sametime, Traveler and Verse – there’ a webinar on this coming up).  It builds upon the layers of native Domino security and gives you flexibility to add extra layers of security, particularly for external connections.  The main advantage is that it’s got baked in functionality for Domino so you don’t have to reinvent the wheel to do a basic set up.

I hope you enjoyed my first blog for HCL.

As always please provide feedback if you found anything interesting here.

Cormac McCarthy – Domino People Ltd