fighting for truth, justice, and a kick-butt lotus notes experience.


Detlev Poettgen


IBM Notes Traveler available with support for iOS 9 and Windows 10 Pro

 26 August 2015 20:28:36
IBM has today release the new version of Traveler.

At the moment I do not know, if all the issues (details can be found here) of are fixed. We will have to do some more tests during the next days.
The main device and database changes included in are:
       •        Support for Windows 10 Pro running on tablet devices.
       •        Support for Apple iOS 9.x running on all Apple devices.
       •        Support for Microsoft SQL Server 2014 Enterprise Edition.
Here is the full APAR list:
APAR # Component Abstract
LO85507 Server Meeting notice may remain in Notes Client inbox when deleted on BB10 mobile device.
LO85581 Server Folder update may unsubscribe folder from syncing to IBM Verse mail application on mobile device.
LO85582 Server Only set database transaction isolation level if not already set as default.
LO85705 Server Mime format document missing required header data will not sync to mobile device.
LO85730 Server Intermittent stack overflow exception error causes Traveler server crash.
LO85728 Server Update APNS certificates for IBM To Do application, current certificates expire in September 2015.
LO85746 Server Signal 11 Traveler server crash in OSTranslate Domino API call.
LO85767 Server User stops syncing for a while and see this error message on server for this user “Object has been removed or recycled”.
LO85798 Server Multiple accept notices sent for unusual meeting when accepted on mobile device.
LO85823 Server Mime format attachment with unknown content type will not sync to mobile device correctly.
LO85857 Server Error accessing user’s device profile document may prevent load of existing settings for user.
LO85880 Server E-mail marked unread on Android Verse client not marked unread on server.
LO85885 Server Embedded pdf attachment in plain text e-mail may not download to mobile device.
LO85924 Server Verse mobile client may use wrong contact photo when local and corporate address book have a contact with the same name who are different people.
LO85929 Server Embedded image may not download to IBM Verse client on Android devices.
LO85951 Server Warning message displayed when using DB2 9.7 FP10 with Traveler HA environment.
LO85999 Server Mail deleted in Verse mobile app may not be reflected on server.
LO86016 Server Meeting cancelled from Verse mobile may still reflect on server calendar.
LO86052 Server Department field in contact may not sync to Verse mobile client.
LO86061 Server Some messages send by Verse mobile can not be recalled by Notes client.
LO86140 Server Verse client with unlimited mail filter may switch to 30 day filter if another device has 30 day filter.
LO86164 Server Some Calendar events may disappear from native calendar on iOS 9 device.
LO86165 Server Unable to add invitee to single instance of repeating event from native calendar on iOS 9 device.

You can download the update as usual on IBM FixCentral.


Creating a Self-Signed Server certificate based on your own Root CA

 17 August 2015 12:22:15
I know that many of you are still using self signed server certificates, which had been created by using the Domino Server Certificate Admin Template.

Because the resulting certs are self-signed by it's own, there is no real Root CA, which you can deploy to a client in advanced.
Other problems: The Bit-length is a joke and the certificates are only based on SHA1, which is deprecated.

So if you need a SSL certificate for your server, I recommend to use a SHA-2 4096 Bit certificate issued by a real trusted Root CA.

You will have to options:

Option A - Let your server certificate get signed by a public root authority like Thawte or Verisign
Recommended, if your site/server is public available AND you are not able to manage the clients.

Option B - Create your own Root CA and sign your server certificate with your Root CA.
Recommended for internal use, if you are able to manage your clients or devices. So that you can deploy root certificates to the trust chain of the clients.

Lets take a look at Option B:

In the following I will explain the steps to create your own Root CA and how to create a new SSL Server key for Domino based on SHA-2.

1. Step: Preparations:

To use SHA-2 certificates together with Domino, you must use a version starting with 9.0.1 FP3. (If you are still using Domino 8.5.3, you must upgrade to the current version 9.0.1)

We will need OpenSSL to create the keys and the new IBM KYRTOOL to create a Domino Keyfile.

1.1. Download and install OpenSSL, if not already installed

Download the latest “lite” version of OpenSSL from here and install it on your Windows machine.  
I installed mine to C:\openssl

1.2. For Windows:

Set the environment variable for OpenSSL using a command prompt

Set OpenSSL_Conf=C:\openssl\bin\openssl.cfg

1.3. Download the IBM KYRTOOL from Fix Central and install it.

The download can be found here.
Extract and copy the executable to your Notes program directory. (Your Notes/Domino Installation must be 9.0.1 with Fixpack 3)

1.4 Create a folder in your file system to store your certificates

I will use C:\myCerts

2. Step: Create your private Root CA

2.1.  Create CA Private Key

Open a Command prompt and switch to the OpenSSL directory (c:\openssl)

openssl genrsa -des3 -out C:\myCerts\myCA.key 4096

2.2. Create CA Certificate (10 years validity in this case using SHA-2)

openssl req -new - sha256 -x509 -days 3650 -key C:\myCerts\myCA.key -out C:\myCerts\myCA.crt

That's it! Make a backup copy of your created myCA.key and myCA.crt. Store them in a secure place.
This is your new Root CA, which you can use for all internal server SSL keys from now on.

3. Step: Create your Server certificate

3.1. Create Private Key for your Domino Server

openssl genrsa -out C:\myCerts\myServer.key 4096

3.2. Create Certificate Signing Request for your host

openssl req -new -sha256 -key C:\myCerts\myServer.key -out C:\myCerts\myServer.csr

4. Step:  Sign your Certificate Signing Request  using your Root CA

4.1. Sign host Certificate with CA Certificate (5 years validity)

openssl x509 -req -sha256 -days 1825 -in C:\myCerts\myServer.csr -CA C:\myCerts\myCA.crt -CAkey C:\myCerts\myCA.key -set_serial 01 -out C:\myCerts\myServer.crt

5. Step: Create an empty Domino KYR File

Open a Command prompt and go to your Notes program directory and run the kyrtool

kyrtool  create -k C:\myCerts\myServer.kyr -p yourPassword

Once run you should have a myServer.kyr and myServer.sth stash file.

6. Step: Merge your key and certificate chain into the a single TXT file

We need a single text file that contains:

- the myServer.key - we generated in step 3.1,
- the myServer.crt - SSL certificate we created using our CA in step 4.1
- the myCA.crt - root certificate of our CA generated in step 2.2.

Open a Command prompt and go to C:\myCerts directory. The type command will create a single file:

type myServer.key myServer.crt myCA.crt >myServer.txt

Verify the myServer.txt, that it contains all needed Intermediate and Root certificates. In our case we only have one Root certificate.
Switch back to the Notes program directory and run the kyrtool
kyrtool verify C:\myCerts\myServer.txt

7. Step: Merge TXT file with your certificate chain into the Domino KYR file

kyrtool import all -k c:\myCerts\myServer.kyr -i c:\myCerts\myServer.txt

8. Step: Validate your KYR-File

kyrtool show keys -k c:\myCerts\myServer.kyr  

kyrtool show certs -k c:\myCerts\myServer.kyr

9. Step: Copy the myServer.kyr AND myServer.sth to your Domino Data directory

10. Step: Deploy the public key of your Root Certificate myCA.crt generated in 2.2.

The public key of your Root CA (myCA.crt) must be added to the known Trusted Root Certificates of the device.
Use your exitsting Windows PC management or your Mobile Device Management system to deploy the myCA.crt file.  

11. Step: Check that the correct KYR file is configured in your Domino Server or Website document

Image:Creating a Self-Signed Server certificate based on your own Root CA

12. Step: Restart your Domino HTTP Task

You should know, how to do that :-)


Accessing Traveler or Domino HTTP from iOS 9 devices

 23 Juli 2015 15:31:15
Starting with iOS 9 Apple will introduce App Transport Security (ATS).

App Transport Security is a feature that requires secure connections between an app and web services. The default connection requirements conform to the best practices for secure connections. Apps can override the default behavior and turn off App Transport Security.
App Transport Security is available on iOS 9.0 or later, and on OS X 10.11 and later.

Default Behavior
All secure http (https) connection follow the App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. The requirements are:

               TLS requires at least version 1.2.
               Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
               The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
               Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

As you can see all supported default ciphers are using ECDHE, which is not supported by Domino at the moment.

If you are an app developer you can switch on additional ciphers, which are supported by Domino. But you as a developer must do that, in your info.plist of your app or must hope that a third party app developer will do that for you.

As far as we can test it with iOS 9 Beta 3, Apple will do a fallback to this additional ciphers and even down to TLS 1.0 for Traveler using the integrated mail app and for Safari.

So Traveler and your XPages web applications are working. But you need TLS and SHA256, which is only supported together, when you are running 9.0.1 with the latest fixpacks.

We don't know at the moment, if Apple will change this fallback for integrated apps in the final release, but at the moment it works!  

To be safe for the future IBM must support ECDHE ciphers!

The IBM Traveler, IBM Mobile Connect and the IBM Domino Security team is informed by Daniel Nashed and by us.

We all should wait for their answers before we are switching to panic mode.

But all admins out their, which are still running Domino 8.5.3 - you must update to 9.0.1 FP4 or add a reverse proxy in front of your Traveler server before iOS 9 arrives!


To get more details, check out:

Update 23.07.2015:

I just received an answer from the IBM Mobile Connect Dev Team: IBM Mobile Connect in the latest version already support TLS 1.2 and ECDHE ciphers. So IBM Mobile Connect is well prepared for iOS 9!


    Anyone else having problems with Traveler

     17 Juli 2015 16:15:35
    I would like to ask you:

    Are you having issues with the latest IBM Notes Traveler version, too?

    Two of our customers already updated their Traveler HA systems to and they are having trouble:

    1. Already enrolled devices are getting an new initiale Sync after Update

         As we can see in the Traveler log, some (not all) devices are starting a new initial sync.
         That behaviour starts after the update to

    2. Users with mail files on remote servers are no longer getting new mails.

    After upgrading Traveler from IF7 to at customer side, we are facing problems with mail synch that no longer works reliable and we are seeing a lot of 503 / Time+out+waiting+for+thread errors..

    "07/10 12:07:03.539" "" Worker-0940 "CN=Frank Test /OU=ATHU/O=COMPANY/CÞ" "action=syncAS&cmd=Sync&CollectionId=4&SyncKey=34&Comment=(Timed+out+waiting+for+thread+DS-0a10%5B4%5D%5BA5661DA5C6F37131D7602CB660B2EA8D%5D%5B17778858%5D+to+complete.)" dp 503 20311 "Apple-iPhone5C2/1208.143" ApplC9LJMYU71234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

    After the update endusers are reporting, that they will not receive any new mails.

    We already checked the connection between the Traveler and Domino Mail server, where all looks fine and we think, that there is something going wrong in the new Traveler release.

    We are able to reproduce the behaviour.

    The customer is running three different Traveler environments:

    Test (Traveler & Domino 9.0.1 FP4 )
    Production ( Traveler & Domino 9.0.1 FP4)
    Production Pilot (Traveler IF7 & Domino 9.0.1 FP2 HF384)

    We configured three different mail profiles for the same user on the same device. Every profile is using a different Traveler environment. The device is connected using internal WiFi.

    Test & Production  --> Issues with mail sync
    Production Pilot --> working

    We open for both issues PMR's, but we are still waiting for an answer from IBM.

    So, if you are planing to upgrade to Traveler - At the moment I can not recommend it!  

      10. OpenUserGroup-Westfalen Stammtisch am 13.08.15 in Gütersloh

       7 Juli 2015 20:24:31
      Bitte schon einmal Vormerken:

      Image:10. OpenUserGroup-Westfalen Stammtisch am 13.08.15 in Gütersloh

      Der 10. OpenUserGroup | Westfalen Stammtisch findet am Donnerstag, den 13.08.15 in Gütersloh statt.

      Neben dem "networken" und der Diskussion aktueller Themen in gemütlicher Runde bei einem guten Essen und Kaltengetränken werden zwei kurze Impulsvorträge rund um die IBM Collaboration & Social Produktfamilie gehalten.

      Folgende beiden Vorträge sind geplant:
      1.        Das IBM Notes Browser Plugin im praktischen Einsatz - Martin Garrels
      Erfahrungen nach 6 Monaten im produktiven Einsatz bei inzwischen mehr als 2.600 Benutzern

      2.        DNUG 2015 - aktueller Status - Jörg Rafflenbeul (DNUG Vorstand)
      Wie geht es weiter bei der DNUG und offene Diskussion

      Weiter Details zum Stammtisch, der Lokation und der Agenda findet ihr hier: OpenUserGroup | Westfalen

      Ich werde in den nächsten Tagen auch noch wie gewohnt die Einladungen an die bisherigen Teilnehmer per Mail rausschicken.

      Neue Mitglieder sind gerne Willkommen. Bitte einfach bei mir melden oder kurz das Kontaktformular ausfüllen: OpenUserGroup | Westfalen - Kontakt

      PS: Wie immer:  Die Veranstaltung selbst ist Kostenfrei - Die verzehrten Speisen und Getränke zahlt jeder Teilnehmer aber selbst.

      IBM Notes Traveler available

       30 Juni 2015 22:05:01
      IBM released IBM Notes Traveler today.

      IBM Traveler is a maintenance release that includes APAR fixes for the IBM Traveler server and Android client.

      Some more fixes regarding MIME & attachment handling issues introduced with and

      Here is the Fixlist:
      APAR # Component Abstract
      LO84879 Server Calendar notice may be sent multiple times or be sent by the server ID.
      LO85144 Server E-mail containing invalid zero character in WBXML encoding may not sync correctly to mobile device.
      LO85222 Server Attachment with an unknown content type may not download to device.
      LO85237 Server Proxy credentials may not be removed from notes.ini during startup.
      LO85260 Server When Trash sync first enabled, sync only today and later trash items to improve performance.
      LO85283 Server Mime format e-mail may sync to device without the body.
      LO85357 Server Attachment with forward slash in file name may not sync to mobile device.
      LO85444 Server Web Admin may not show data for a user and will recieve "Could not generated devicetype" error message.
      LO85445 Server Attachment with multiple dot characters in file name may not sync to mobile device.
      LO85477 Server On standalone server auto cleanup could impact security records then requiring re-approval if approval is enabled.

      Downloads can be found here

        Who is using Splunk or a similar solution?

         17 Juni 2015 09:11:14
        This is a unusual post for me. This time I have a bunch of questions and would like to get your answers or experiences.

        I would like to know, if you are using solutions like Splunk, GrayLog or a similar already in your enterprise to get central access, view and analytics of your machine generated data like system / application logs and platform statistics.

        The idea behind Splunk:

        Step 1: Collect from all of your systems your application / system logs and platform statistics.  
        Step 2: Throw them into Splunk and let them get indexed by Splunk.

        Image:Who is using Splunk or a similar solution?

        Step 3: Search and drill down across your indexed log files from a central point

        Image:Who is using Splunk or a similar solution?

        Step 4: Use Big Data analytics provided by Splunk to visualize your indexed data to build dashboards or generate alerts.

        Image:Who is using Splunk or a similar solution?

        My questions to you:

        Do you know Splunk?
        Do you use Splunk, GrayLog or a similar solution in your enterprise already?
        How and for what use case do you use Splunk?
        How do you forward Domino, WebSphere, DB2 or your application logs and statistics to Splunk?

        Please add a comment or send me an email.

        I am looking forward to your answers and already thank you very much for participating in the discussion.

        To answer your question before you google it: What the hell is Splunk?

        Splunk is an American multinational corporation based in San Francisco, California, which produces software for searching, monitoring, and analyzing machine-generated big data, via a web-style interface.
        Splunk (the product) captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.
        Splunk has a mission of making machine data accessible across an organization by identifying data patterns, providing metrics, diagnosing problems and providing intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics. As of early 2015, Splunk has over 9,000 customers worldwide.
        Splunk is based in San Francisco, with regional operations across EMEA and Asia, and has over 1700 employees.

        Splunk offers products that perform real-time and historical search, as well as reports and statistical analysis. The product can index structured or unstructured textual machine-generated data.

        Source Wikipedia:

        If you don't know Splunk - visit the Splunk Website:
        If you don't know GrayLog - visit the GrayLog Website:

        Reuters: BlackBerry thinking of launching Android phone

         12 Juni 2015 11:29:41

        BlackBerrry (NASDAQ:BBRY) is thinking of launching its first phone to run on Google's version of Android, 4 sources tell Reuters.
        The decision is reportedly tied to BlackBerry's efforts to "pivot to focus on software and device management.

        "BlackBerry is coming off an FQ4 in which end-user phone sales fell to 1.6M from 1.9M in FQ3 and 3.4M a year earlier; IDC estimates the company's smartphone OS share was down to 0.3% in calendar Q1.

        Meanwhile, BlackBerry has estimated it needs to sell 10M phones/year to break even on its hardware ops.

        As it is, BlackBerry has partnered with Samsung to provide security software/services for Samsung's Android hardware, and has launched plenty of cross-platform security and MDM solutions.
        BB10 phones support Android apps via Amazon's Appstore for Android, but don't have access to Google apps/services that are baked into Google's version of Android or distributed via the Play Store.

        via Reuters:

        My 50 cents: Blackberry will not be able to survice as a hardware manufacturer with their own OS plattfrom. Switching to Android will not solve their issues but will add new. In near future BlackBerry will be "only" one more MDM & MAM vendor in the market.

        What's your opinion?

        IBM Verse for Android app available

         30 Mai 2015 12:18:11
        IBM Verse for Android available via Google Play Store.

        Image:IBM Verse for Android app available

        The Verse app is a replacement/upgrade of  the Traveler app that will be dismissed! The new app will only be available via Play Store at the moment.

        IBM Verse Client for Android only supports Android 4.x and later OS levels. The IBM Traveler client for Android is still available for use for older OS levels. The IBM Traveler client for Android can be obtained from the Traveler Home Page.

        This app is compatible with IBM Traveler server version and later fixpacks, as well as 8.5.3 Upgrade Pack 1, 8.5.3 Upgrade Pack 2, and 9.x.

        This are some of the feature that IBM Verse provide on Android:

        - See mail from people important to you
        - Set people you interact with often as Important
        - Mark mail as Needs Action
        - Manage items that need follow up
        - Track who owes you a response and when
        - Work with your calendar seamlessly
        - Interact with all of your contacts

        Update 02.06.2015:

        What's New?

        New download link on Traveler home page to download the IBM Verse client for Android from the Google Play store.

        Note the following:

        IBM Verse client for Android users do not need to connect to a server. IBM Verse for Android client supports Traveler server versions 8.5.3.x and later. Some features will be available only if running the latest Traveler server.

        IBM Verse client for Android will be available only via the Google Play store and select MDM providers. The IBM Traveler client will remain available from the Traveler server to support Android devices running 2.x or 3.x OS.


          IBM Notes Traveler available

           29 Mai 2015 21:48:30
          IBM released IBM Notes Traveler today.

          Hopefully this one will fix the MIME handling issues introduced with and

          Here is the Fixlist:

          APAR # Component Abstract
          LO84144 Server Update of appointment instance may not sync to Apple device.
          LO84586 Server Warning message for NTS_PUSH_ENABLE_APNS setting at startup.
          LO84641 Server Push not working for Android devices.
          LO84756 Server Remove last attendee from event on Apple device may not be reflected in Notes client.
          LO84747 Server Some wav files for Mime format document do not sync to mobile device.
          LO84790 Server Parse exception on malformed Mime document may prevent sync of document.
          LO84792 Server Verse client displays zero byte attachment.
          LO84825 Server Chair field with canonical format may get replaced by internet format user name.
          LO84845 Server Large e-mail bodies in Mime format may not display on mobile device.
          LO84846 Server For performance, do not use index hint with enterprise database.
          LO84861 Server Meeting notice deleted from device may not be deleted on server.
          LO84878 Server Calendar description field may loose line feed characters.
          LO84939 Server Immediately after enable Trash sync, device may receive error trying to delete a message.
          LO84941 Server Setting Out of Office from IBM Companion app on iOS 8.x may fail.
          LO84943 Server Out of Office time may display in server time zone instead of end user time zone.
          LO84947 Server Defrag on stand-alone server may display errors.
          LO84957 Server Event acceptance state may not be displayed after accepting a single meeting instance.
          LO84968 Android Security update may not push to Android devices running 4.2 or later OS.
          LO85028 Server Attachment sync error "Could not find file attachment"
          LO85031 Server Traveler server may crash processing a mal formed Mime document.
          LO85057 Server Attachment sync error "Entry not found in index."
          LO85110 Server Syncing Mime format documents may result in exception in logs.

          Downloads can be found here