Just in case you missed it last week on the 19th, my May 2009 Sys Admin edition came out.  Thank you all for the current 4 star rating on this issue.  Let me know what you would like to see by sending me an email!

Topics included:
* From the Editor: Chris's 0.0536000 XCD
* From the IdoNotes Mailbox: Designating My Instant Meeting Servers
* Keeping Your Sametime Meeting Center Clean and Healthy
* Quick Tip: Sametime Advanced Update 8.0.1 and Sametime Connect 8.0.2
* From the IdoNotes Mailbox: Architecture Decisions for the EMS

OK, we thought we were done.  We really did.  We scripted and updated applets in hundreds of servers.  But, alas, we need to go back one more time for a couple of them and revert back to a previous applet.

What's changed
A re-signed websvc.jar file was previously included in the list of files to replace on Domino 7.x releases; however, this file is not used by browsers and thus is not impacted by the applet expiration issue. Additionally, it was discovered that applying the re-signed websvc.jar file could cause crashes on Domino 7.x releases prior to 7.0.3

This only applies if you used the manual replace method and not the interim fix method to make it easier.  You must go back and revert to the gold version of the file.  So how many kept your gold ones?  Huh? Tell me?

Interesting turn of events.  We had used some custom toolbar icons for some time.  Well after some recent upgrading it seems that those icons are no longer in the client so you get a nice yellow X.  (screenshot)  



If you forgot to set the pop-up help in those icons you deployed (optional, not required) you have no idea which icon does what anymore.

So I was browsing the new OpenNTF site and seeing what they had available and saw the ability to now drag and drop widgets right into your sidebar.  It looked like it was cranking away successfully but a little window eventually came up.



So I tried another, same issue.  I am not sure if somehow it is me (which I don't have issues from other catalogs or via email).

Anyone else?  I heard of people getting crashes too.

If you have no idea what this is about go read my posting right here, this is big for users people

• Starting on Tuesday the 19th 2009, web browser users who access various applets hitting a Domino/Sametime/Quickr server may receive a message that the certificate associated with the applet has expired
• This doesn't affect functionality, just the warning error unless the user trusts IBM
• The certificate was unable to be renewed until they got close to the expiration.  They were limited in time to renew earlier.  Then there was testing to do and prep for posting
• -----> Open Q&A begins here by pressing *1 and recording your name<--------------
• Shawn asks - due to time sensitivity there is not much testing time on the new fixes.  Answer: you can test it via java/applet API's to see how it is signed and when it will expire.  Since this is a browser that is impacted you can actually on a test machine try it but setting your clock into the future.
• Irv asks - on a test server he has overwritten the files.  In the java section of the browser will that date be automatically updated on the next connect?  Will the people with the older expired certificate get the update automatically or will they have to delete and reinstall soemthing?  Answer from Scott Vrusho: The technote will be updated to clarify the this.  The user will be prompted to accept the new certificate in the browser just as they were 3 years ago
• Ray asks - the remediation effort is just a file swap?  Answer - yes
• Steve asks -  the new applets on Sametime will force the user to be accepted on a prompt if they previously trusted IBM?  Answer from Scott - yes even if the user trusted IBM previously they will be prompted
• Rob asks - will this affect BES?  Answer from Scott - nope
• Scott asks - I just shut down HTTP on the Domino server and it would not allow me to replace some jar files due to them being locked  Answer from Scott - in testing they could just shut down HTTP but you might have to shut the Domino server down
• Steve asks - they are using the Sametime Limited client, is there anything to do?  Answer - there shouldn't be since this is meetings and HTTP , not chat
• Tim asks - they are using 7.0.3 with Sametime integrated but they use webmail.  Will they get the prompt to accept certificates?  Answer from Scott - DWA and iNotes shouldn't.  all other stock templates have applets
• John asks - why the NCSO jar file (sorry missed some of it)  Answer they will update the technote to see why that NCSO file is included
• ?? asks - On sametime server there is both Domino and Sametime fixes to be applied? they did a test and moved server to later date to see behavior and is that it? Are instant meeting users affected?  Answer - yes to all parts
• Mark asks - on the technote for Sametime it states version 7 and above yet they run 6.5.1.  Is it the same of a different patch?  Answer - that version is EOL so there is no signed applets for that version.  So get to upgrading or you will get prompts
• ?? asks - Domino and Sametime with EMS in front.  Do these jars impact/work with the FIPS encryption?  In preliminary testing they did not get into meetings with the new jars.  Are they compatible?  Could they grab the certs and move them into the jar files  Answer - they are not sure and will research.  A FIPS version was not ready
• Tino asks - specific question for version 7.5 of Sametime and they do not see a fix for that version.  Answer - they were suggested to move to 7.5.1 and the CF1 and CF2.  While it may not be possible, it would be encouraged.  Yet this didnt answer the question.
• Mike asks - they have 6.5.6 servers with iNotes 6 template.  Is it affected? They loaded a test on a Domino 8,.5 server with the patch.  They had no change for the trust question.   Answer from Scott - they are not affected.  DWA/iNotes is not impacted and no applets on any version
• Wayne asks - Quickr on Domino, no Sametime.  They use ActiveX verus java for drag and drop is there any concern?  Answer from Jennifer - no concern in either case
• Lisa asks - running Domino 7.0.3 server with mixed R6 clients and R7 clients on both versions of iNotes/DWA templates. Sametime Connect for browsers are in use, are they affected?  Answer from Scott - iNotes/DWA no impact. Sametime Connect is affected and is in the patches
• Alan asks - are the expirations time zone related? What about chat functionality through DWA?  Answer from Scott - they aren't totally sure but there is an hour associated with the expiration that will adjust based on timezone.  Yes the chat for stlinks files used in DWA for awareness are affected and should be checked to see if they are unsigned or signed.
• Ian asks - are there any updates for jar files in the client distribution?  Answer from Scott  - this is fairly niche case where you run and develop web apps to preview in web browser.  The applets would show then with the prompt.  They are not advertising for normal use case to update the client yet it could affect those "rare" instances.  Fixes will be in the later normal later release and fixes for clients.  The 8.0.2 FP2 and 8.5 FP1 will have these updates.  Later when these expire in 2012 this wont cause the same issue due to timestamping in signing so no future prompts they are rolling into future products
• Lisa asks - Domino 7.0.3 in house and they had to bring the server down to replace the one program file directory file.  She got a prompt for an applet to choose to always run for it not to come up anymore.  Is that normal? Answer from Scott - he questioned which one to see if it was a normal prompt or about the date.  It was about accepting to run the software entirely.
• Jeff asks - they have Quickplace 7, is there an order to apply with Quickr/Sametime/Domino. Answer - there is no order and no Quickplace patch unless you have Sametime integration with Quickplace.  They will update technotes more on how to verify dates.
• Mark asks - on all the products they have applied the fix and the user gets prompted, will they also get prompted when they hit Sametime for a meeting the first time or will one acceptance work across? What about our Sametime 6.5.1 servers?  Answer from Scott - one acceptance will take care of all of it.  There is nothing to do for Sametime 6.5.1 servers since there is no patch for them.  Those users will get the security  warning.
• Rich asks - for Quickplace 6.5.1 there was a patch listed but what about domino? What about the downloadable gold code that is out there now, will these be updated or will I apply fixpacks? Answer from Scott - there is a Domino 6.5.x patch for all versions.  You have to download fixpacks, they will not upload fixed gold code.
• ?? asks - they have a lot of products running on Domino with multiple patches.  Portal is the front end..  they exported the SSO key and will this affect it.  Answer from Scott - any application relying on the Domino applets will be corrected when replacing the applets. These are just applet certificates, no application or SSO certificates.  No issue there.
• Tim asks - Their Domino has legacy web apps (over 100)on a 5.0.11 server.  Any recourse?  Answer from Scott - no.
• Bob asks - They tried pushing the clock forward but cant recreate the popup.  Answer - going into Java settings in the browser to remove the IBM trust will then show the popup again.
• me - are the files the same for Domino 8.0 and Domino 8,5.  Sizes and everything else matches  Answer from Scott - they should be as they built the Domino 8.5 o n the same codset and no other changes were really made.
• Andy asks - Domino 7.0.3 with DWA 6.5.3 template.  Answer - no problem

I had to drop off the call at this point, so I missed a handful.  The call went almost 30 minutes late.

Subscribe in a reader

If you have been trying to keep more up to date with news from IBM on Lotus, then I have the feed for you to use  right here.

I would suggest that we all really start sharing feeds on Google Reader (if you use it).  Add me as IdoNotes at gmail and we can start filtering and sharing more feed content.  I do this now with about 40 people and it saves me a lot of time reading material.  Why would you do this?  Go back and visit my previous posting on TheSocialNetworker

The bloggers gather again at Lotusphere2009 for open discussion with the Lotus executives (pt 2).  There is no guaranteed questions the executives will hear and each year they get a surprise or two in the candid lines of questioning.  Yet they always deliver candid answers to this group.  Something everyone looks forward to.  This is an annual podcast event found only at IdoNotes.  You can hear the previous years interviews for 2008 and 2007 also.

Follow the above banner and use the coupon code "IdoNotes" when checking out for up to 20% more discount on your certification practice exams !

If you have not signed up for the LCTY events on LotusUserGroup.org then head on over.  The next one in the series is today in one hour (that is 12pm EST).

Welcome to year #4 for Collaboration University.  We have many returning for their senior year as well as new freshman entering the program.  For those of you returning, you get a special alumni discount for each year you have attended.  Then we have an early bird discount to entice some of you even more.

Visit Chicago from September 14-16
Visit London form September 21-23

But for today only, add all of the above discounts together and then toss on yet another $100 USD off the total registration for an amazing one day offer.  We will be covering Quickr 8.2, Sametime 8+ and Lotus Connections 2.5 with your normal professors and some new special guests.

Unless you haven't been reading along in emails and living under administration rocks, you have till May 18th 2009 to replace the following:

The certificate for some Java applets in Lotus Domino 6.5.x, Domino 7.0.x, Domino 8.0.x, and Domino 8.5 have an expiration date of May 18, 2009. Starting May 19th, Web users will see a dialog with a message similar to one of the following when loading a Web page that contains a Java applet from the Domino server:

"The digital signature was generated with a trusted certificate but has expired or is not yet valid."
"The security certificate has expired or is not yet valid."

As this was just not enough, do not forget about the Sametime expirations the exact same day also:

The Lotus Sametime Meeting Server applets are signed with a VeriSign certificate that is valid between May 15, 2006 and May 18, 2009. To prevent users who load any of the Sametime applets such as the Meeting Room Client or Directory applet from seeing a warning message as of May 19th

Want technotes?  Oh we have them..  Domino and Sametime

Now don't think I waited till the last minute to tell you.  Lotus held off to get the digital signatures right.

(simple screenshot)

This shows fixed in 7.0.3 however and just caught me in 8.5

Client UI

RDER6AHPV4

SPR# RDER6AHPV4 - Fixed a client hang with 'In order to do multiple transactions simultaneously, you cannot use the same DB handle'.

I had interest in this since we had a customer using the audio chat functionality quite nicely.  However, firewalls and network translations were a headache.  Lotus had a fix coming along the way but it got put on hold due to a bug in the code according to this recent public technote (1384423):

Sametime Reflector hotfixes, for both client and server, address problems with media connections using a technology called Interactive Connectivity Establishment (ICE). ICE uses STUN/TURN protocol to logically deduce the most logical and efficient network paths between remote endpoints using all available network interfaces. This greatly improves the ability of clients to negotiate audio/video sessions across complex network topologies.

There are fixes available for Sametime 8.0.1 and 8.0.2 servers and clients. Due to the depth of architectural modifications required to enable this new functionality, it is not possible to backport these fixes to any Sametime client or server version prior to 8.0.1. If this functionality is required, please upgrade to at least Sametime 8.0.1 and apply the appropriate fixes.

Note: The Sametime Reflector hotfixes for Sametime 8.0.1 and 8.0.2 are currently on hold. We have uncovered an underlying bug in the code that must be updated prior to release of the fixes. This technote will be updated as soon as the new fixes are made available.

The bloggers gather again at Lotusphere2009 for open discussion with the Lotus executives (pt 1).  There is no guaranteed questions the executives will hear and each year they get a surprise or two in the candid lines of questioning.  Yet they always deliver candid answers to this group.  Something everyone looks forward too.  This is an annual podcast event found only at IdoNotes.  You can hear the previous years interviews for 2008 and 2007 also.

 Follow the above banner and use the coupon code "IdoNotes" when checking out for up to 20% more discount on your certification practice exams !