This and that...

This and that...

LN 8 und 8.5 neue Admin Eigenschaften

Lotus Notes and DominoPosted by Martin Tue, January 27, 2009 17:57:57

Domino 8 stellt neue Administrationseigenschaften zur Verfügung

Mandated ID Encryption Standart - New feature with Domino 8.0.1 to allow corporations to mandate AES encryption in Notes ID files.

Continuing my series on Domino 8 Administration features, new with Domino 8.0.1 is the option to mandate the encryption standard for ID files. Full details can be found at the infocenter. With Notes 8.0 and Domino 8.0.1, there is an option to use AES for ID file encryption. Here's how strong AES is:

"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."

Implementation of AES requires a Domino 8.0.1 server. A Security Settings document is used to configure how the ID file's encryption will be enforced on your server. In a new or existing Security Settings document, you will need to go to the Password Management tab and then scroll to the bottom to the ID File Encryption Settings section:

For both the Mandated and Allowed encryption standards fields, you have the following choices (the same choices as when you change your password in Notes 8.0):

- Compatible with all releases (64 bit RC2)
- Compatible with release 6 and later (128 bit RC2)
- Compatible with release 8 and later (128 bit AES)
- Compatible with release 8 and later (256 bit AES)

First of all, this is great that companies can now mandate this. But the super swank option is the "Key derivation strength (iterations)" field. In layman's terms, the higher you set this value (the default is 5000), the longer a dictionary attack will take against the ID file. It won't be impervious to an attack, but you shouldn't be using passwords that are in dictionaries... From the infocenter:

Key derivation strengthening is a technique used to make it more costly for malicious attackers to guess likely passwords through a brute force dictionary attack. They work by increasing the time it takes to generate a key from a password. The value for this field is the number of times an HMAC algorithm is applied as part of the operation that generates a key from the password. Specifying a larger number for this value increases the duration of each attempt during a dictionary attack. The default setting for this field is 5000, which is acceptable in most environments. Organizations with higher security requirements may wish to specify a higher value.

So, once you have your servers at 8.0.1 and then have clients at 8.0 or higher, you can begin enforcing this. However, you may also phase this in with a tiered approach. For instance, if you have admins and/or developers that may have access to sensitive data, you may wish to get them on the Notes 8.0 + client and apply a special security settings document to their policy.

Admin Preferenzen und Client Versionen - Neue Admin Client Preferenczen und Details von der neuen Client Version Ansicht

There are 2 features that I would like to review quickly in this session.

First are two additions to the Domino Administrator Preferences that can be time savers. One is the option to "Automatically run in live console mode". This will default to launching the Administrator Client to the Server > Status > Server Console screen for the server listed in the "On startup" field. How many times have you wanted to just open the Administrator client to get a console window. Now this can be your default behavior! The other option allows you to specify databases that will launch automatically. In the image below I'm wanting to open ddm and log on the specified server.The other is a "Client Version" view that's in the address book. It's listed under People > by Client Version.

Enhance Quota Feature - A new option to proactively enforce quotas

A recently published devWorks article details the Enhanced Quota Feature in Domino 8. This enhancement will proactively prevent the creation of memos, calendar entries, and to-dos if a mail file is at or near a certain quota threshold. In prior releases, the user would be able to begin the creation of the document and receive an error when attempting the save operation. This takes the quota enforcement a step further.

Note that the document states that this can be enforced via policies. I have not been able to find these options in any of the policy documents, though. The notes.ini settings can be pushed down via modifications to the policy documents.

Inbox Maintenance - A new AdminP function to clean up the inbox

Inbox maintenance can be a good tool to improve performance on your mail server and for your clients. For detailed information on how this is possible, I refer you to this great devWorks article: Best practices for large Lotus Notes mail files

Basically, this document is telling you that the Inbox is most expensive container in a mail file. It is updated each time a user opens the mail file or clicks refresh button. The Inbox is also where new mail is delivered. Reducing the number of documents in the Inbox reduces CPU utilization as well as the space required to update and maintain the view index.

Domino 8 now allows administrators to schedule a time to clean up the inbox of some or all mail files. Keep in mind that, other than the ($Inbox) view index, that this will have a negligible effect (if any) on the storage used by the mail file. The documents are only removed from the Inbox and will remain in All Documents or any other folders in which messages may have been copied. In a phased-in approach, Inbox Maintenance can be a useful (blackmail) tool to get users to begin using folders and manually cleaning up the Inbox (I think we have all seen the users who feel they need to keep all of their mail in their Inbox, right?). For instance, you could choose to notify users that in 30 days all messages over 180 days will be removed from the Inbox of all mail files.

There is a 2 step process to enable this:

1. You must edit the Server Document. Go to the Server Tasks tab and then to the Administration Process tab. At the bottom right, you will see this:

As you can already see, the Inbox Maintenance is a function carried out by AdminP. In the Server Document you can control the day(s) and time this will run. You may also choose to run this only on specific users' mail files or on those files maintained through policies. Along with the schedule specified in the server document, you can also run Inbox Maintenance by issuing the TELL ADMINP PROCESS MB command. If you choose to run this on selected mail files, you are able to choose how many days to retain and whether to remove unread messages.

2. After modifying the Server Document, you may want to use policies to control the subset of mail files to maintain. You will need to implement this through a Mail Settings document in a Policy. In the Mail Settings document, go to the Mail tab and then the Basics tab. The Inbox Maintenance section is at the bottom:

ODS 48 - Details about the new On Disk Structure

A new On Disk Structure (ODS) is available with Domino 8. This is an update from ODS43 to ODS48. First of all, upgrading applications (formerly called databases) to ODS48 is completely optional and requires the addition of a notes.ini setting on the server (or client).

This setting is: Create_R8_Databases=1.

If you enable this in a global configuration document, the Pre-8 servers will ignore it and will not be affected by having this setting. This can be a good way to propogate this to all (or many) of your servers prior to upgrading to Domino 8. As with previous ODS upgrades, a copy-style compact is required to upgrade all databases to the new ODS. However, the applications will not be upgraded automatically with a copy-style compact as they were with previous ODS upgrades unless the notes.ini setting is enabled.

What do I get with the new ODS?

1. There are some general I/O enhancements and "folder optimizations".

2. The maintaining of a "Database Names List" used for user renames
With ODS48, a list of all of the Readers and Authors in an application is maintained at a high level by default. This will improve the efficiency by which AdminP can process the user rename requests ("Update User Name in Reader and Author Fields"). If AdminP finds the user's name in the Database Names List, it will continue processing that application. Otherwise it will skip the application.

3. Design Compression
This database property (found on the Advanced tab of ODS43 and ODS48 database properties) will compress the design notes. IBM states that mail files based off of mail8.ntf will only utilize 11MB instead of 25MB if design compression is enabled. As you can see, 14MB of savings per mail file can be huge. This feature is disabled on all databases by default. However, the mail8.ntf template does have it enabled. You may choose to disable this property in the template prior to creating new mail files or converting existing mail files to version 8.

As with enabling ODS48, a copy-style compact is required to enable design compression. If you are planning on upgrading to ODS48 and enabling Design Compression on mail files, you should consider doing these at the same time by enabling the Design Compression property prior to running the compact so that you don't have to run the copy-style compact twice.

In planning your Domino 8 upgrade, the considerations above regarding the new ODS should assist you in deciding whether or not you will wish to enable ODS48.

Preferred Simple Search and Deferred Sort Index Creation - Information on these two new features

The two items I will discuss below are enhancements to Domino 8 that may impact disk space and/or memory utilization on your servers. The first may also impact your end-users, so you should be aware of the caveats of enabling it.

Prevent Simple Search:
This option is found in the Advanced tab of the Database Properties dialog. It's called "Don't allow simple search" in that dialog. This will prevent someone from performing a search in a database that is not full-text indexed. Performing a search on a database without an index is a very time consuming process and the results are generally not as you would expect when compared to the search time and results returned from an indexed database. Enabling this option will prevent this type of search. However, many end-users may not know that they are doing this (by not noticing, or caring, that the database is not indexed) and will be used to performing searches. If you enable this option on mail files, be aware that you may receive many requests to create full-text indexes for those end-users who may have been performing simple searches. Creating these indexes will add to the overall drive space that is needed on your server.

Deferred Sort Index Creation:
This option can be a fairly decent space saver on your server. It is a design property, "Defer index creation until first use", of sortable columns and is visible under the "Click on column header to sort" option. What this option does is prevents the indexing of specific columns when the view is created. For example, most users may never sort their mail file using the Response Icons column. Prior to having this option, however, that column's sort index would have been included in the space used by the view.

So exactly how much space can this save?

Let me use my mail file as an example. After perusing through Designer to see how this option is enabled by default in the mail8 template, I notice that the Subject, Size, and Response columns have this option enabled. So, after purging the view index of my All Documents view (~1,500 docs), I opened that view. The initial size was 1,147,984 bytes (so, just over 1MB). I then sorted by the Subject column and the size increased 28%. I then proceeded to sort by the Size column and the increase was another 29%. Finally, I sorted the Response column and the size increased another 28%. In total, my view index for All Documents is now 2,132,224 bytes. This represents an 85% increase over the initial size of the view. Of course, with a relatively small mail file this will not have as much impact, but just imagine the savings with a much larger file.

I'm hoping that this "Domino 8: 101" series will be helpful as you continue your planning to upgrade to Domino 8 and evaluating the things that you, as an Administrator, will need to know. There have been many features added in Domino 8.0 - even though it was mostly a client-focused release. As you can see from previous posts in this series, IBM has a focus on saving space and time with Domino 8 and beyond. Just this week, an additional NSF compression algorithm was announced with 8.0.1 and there is more planned for Domino Next.

Server OS Upgrades - What you need to know about the supported Operating Systems for Domino 8

In planning for Domino 8, it may be possible that you will have to upgrade the Operating System that your Domino 7 (or 6 or earlier) servers are running. For more information, see the detailed system requirements here.

In some of these cases, such as Windows 2000, this is because the Operating System is no longer supported by the vendor. However, there is currently no set EOS date for i5/OS V5R3. However, this is not a supported OS for Domino 8.

The following operating systems are not supported for Domino 8. If you are running one of these with any prior version of Domino, you will need to upgrade the OS to be in a supported configuration for Domino 8. Please note that the latest release levels of all of these platforms are still supported and that it is generally recommended to stay fairly recent on the Operating Systems in your environment. There is also no rip-and-replace involved (as with other messaging platforms) - the most current OS levels were supported for Domino 7.0. So, if you are current on your OS and current on your Domino installation, you will have no issues upgrading to Domino 8. Also, I'm in no way criticizing IBM for this move to only support the latest OS release levels - just making you aware of it for your planning purposes.

OS Platforms Not Supported For Domino 8.0:

Microsoft Windows
Microsoft Windows 2003 Server Standard Edition
Microsoft Windows 2003 Server Enterprise Edition, Service Pack 2
Microsoft Windows 2003 Server x64 Edition
IBM AIX 5.3 (64-bit kernel), minimum patch level of TL7, 0815 (5300-07-04-0815)
IBM AIX 6.1 (64-bit kernel), Service Pack 4, APAR IZ10223, APAR IZ09961, APAR IZ10284, APAR IZ08022
Novell SUSE Linux Enterprise Server (SLES) 10 x86 (32-bit)
Novell SUSE Linux Enterprise Server (SLES) 10 x86_64 (64-bit)
Red Hat Enterprise Linux (RHEL) 5.0 and 5.1 (32-bit)Sun Solaris
Sun Solaris
Sun Solaris 10 (64-bit kernel), March 2006 patch cluster or higher
IBM System i
IBM i5/OS, V5R4
IBM i5/OS, V6R1
IBM System z
IBM z/OS Version 1, Release 5 or later
Linux on System z
Novell SUSE Linux Enterprise Server (SLES) 10 on System z (64-bit)
Red Hat Enterprise Linux (RHEL) 5 on System z (64-bit)

Unread Marks Enhancements - There are two enhancements to better replicate unread marks on replica creation.

Anyone who has worked with Domino mail replicas knows that there is a history of problems with unread mark synchronization. With Domino 8, there have been at least two areas of improvements.

First of all, there is a new notes.ini setting: ADMINP_EXCHANGE_ALL_UNREAD_MARKS=1. This new setting is available for Domino 6.5.6, 7.0.3, and 8.0. It is detailed in Technote 1245043. This setting will exchange all unread marks in new replicas created via the Administration Process (instead of only the default 90 days worth). Also, it requires that only the source server be running the fixed version of the server code.

Secondly is a new option in the Create Replica(s) dialog box. As depicted in the graphic below, there is a new option to "Exchange Unread marks on replication":

This works very similarly to the notes.ini setting described above. If the source server is at Domino 8.0*, then the Administration Process will "attempt to match all of the unread marks from the source database with the target database."

* - I had hoped that this would work with Domino 6.5.6 or 7.0.3 servers like the notes.ini setting, but it does not. The source server and Administrator Client have to both be at 8.0 or higher.