An IBM Proof of Technology

newjerseyshakySoftware and s/w Development

Oct 30, 2013 (3 years and 5 months ago)

301 views

An IBM Proof of Technology
Notes and Domino 8.5
Lab Exercises
PoT.Lotus.08.5.004.01
© Copyright International Business Machines Corporation, 2009. All rights reserved.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
IBM Software
Contents
LAB 1

EVALUATING DAOS WITH MAIL FILES

........................................................................................................

5

1.1

OBSERVE DISK SPACE UTILIZATION WITHOUT DAOS

......................................................................................................

5

1.2

ENABLE DAOS ON THE DOMINO SERVER

..........................................................................................................................

6

1.3

VALIDATE DAOS RESULTS

.................................................................................................................................................

12

1.4

SUMMARY

............................................................................................................................................................................

13

LAB 2

ID VAULT AND SHARED LOGIN

..................................................................................................................

14

2.1

PART ONE - NOTES ID VAULT

............................................................................................................................................

14

2.2

PART TWO - SHARED LOGIN

..............................................................................................................................................

39

2.3

SUMMARY

............................................................................................................................................................................

46

LAB 3

LOTUS PROTECTOR

....................................................................................................................................

47

3.1

REFERENCE FOR INITIAL CONFIGURATION

.....................................................................................................................

48

3.2

CONFIGURING DOMINO FOR SMTP

...................................................................................................................................

62

3.3

LOTUS PROTECTOR CONFIGURATION

.............................................................................................................................

69

LAB 4

EXPLORING LOTUS NOTES TRAVELER

....................................................................................................

88

4.1

INSTALLING THE NOTES TRAVELER SERVICE

................................................................................................................

88

4.2

INSTALLING THE NOTES TRAVELER CLIENT

...................................................................................................................

94

4.3

USING THE NOTES TRAVELER CLIENT

...........................................................................................................................

103

4.4

WORKING WITH APPLICATIONS

......................................................................................................................................

113

4.5

SUMMARY

..........................................................................................................................................................................

122

LAB 5

DOMINO DESIGNER 8.5

.............................................................................................................................

123

5.1

CREATING THE MANAGEMENT DATABASE

....................................................................................................................

123

5.2

THE NEW XPAGE

...............................................................................................................................................................

127

5.3

CSS & XPAGES

..................................................................................................................................................................

129

5.4

XPAGE CODING

.................................................................................................................................................................

133

5.5

SUMMARY

..........................................................................................................................................................................

135

LAB 6

NOTES AND DOMINO 8.5 APPLICATION DEVELOPMENT

.....................................................................

136

6.1

DEVELOPING COMPOSITE APPLICATIONS

.....................................................................................................................

136

6.2

SUMMARY

..........................................................................................................................................................................

158

LAB 7

XPAGES

.......................................................................................................................................................

159

7.1

HELLO WORLD

..................................................................................................................................................................

159

7.2

CONDITIONAL DISPLAY OF INFORMATION IN XPAGES

.................................................................................................

164

7.3

BUILDING THE FOUNDATION

...........................................................................................................................................

175

7.4

CREATE A CUSTOM CONTROL THAT HAS A CUSTOMIZABLE CONTENT AREA

..........................................................

185

7.5

DISPLAY NOTES DOCUMENTS IN XPAGES

.....................................................................................................................

192

7.6

PAGE FLOW

.......................................................................................................................................................................

202

7.7

DATA PROVISION TO CONTROLS

....................................................................................................................................

210

7.8

DATA FROM NOTES VIEWS

..............................................................................................................................................

216

7.9

ADVANCED DATA BINDING

...............................................................................................................................................

220

7.10

INPUT VALIDATION

............................................................................................................................................................

227

7.11

DATA VALIDATION (OPTIONAL)

........................................................................................................................................

229

7.12

JAVASCRIPT LIBRARIES (OPTIONAL)

..............................................................................................................................

230

7.13

CUSTOM VALIDATORS (OPTIONAL)

.................................................................................................................................

231

7.14

TAB NAVIGATION (OPTIONAL)

.........................................................................................................................................

232

7.15

USING JAVA (OPTIONAL)

..................................................................................................................................................

235

7.16

ADDITIONAL ELEMENTS (OPTIONAL)

..............................................................................................................................

239

7.17

REPEAT CONTROLS (OPTIONAL)

....................................................................................................................................

240

7.18

THEMES (OPTIONAL)

........................................................................................................................................................

244

Overview
Page
1
IBM Software
7.19

JAVA CLASSES (OPTIONAL)

.............................................................................................................................................

248

7.20

COMBINATION OF CLIENT AND SERVER SIDE JAVASCRIPT (OPTIONAL)

...................................................................

255

7.21

NOTES AGENTS (OPTIONAL)

...........................................................................................................................................

257

7.22

USING @FORMULAS (OPTIONAL)

....................................................................................................................................

261

7.23

CONVERTING NOTES VIEWS INTO XPAGES (OPTIONAL)

.............................................................................................

263

7.24

EMBEDDED HTML AND DOJO (OPTIONAL)

......................................................................................................................

269

Page
2
Notes and Domino 8.5
THIS PAGE INTENTIONALLY LEFT BLANK
IBM Software
Overview
The Notes®
and
Domino® 8.5 Upgrade Workshop is intended to provide the customer with an in-depth
examination of the new capabilities of version 8.5 of the products. For existing customers, this
exploration will help them assess the additional value and potential impact to their existing environment.
For new customers, this exploration will not only give them a hands-on experience with a product new to
them but it will also reinforce our advantages over the competition, such as the power of applications.
The objective of this session is to explore new features of IBM Lotus Notes
and
Domino 8.5 and prepare
participants for a successful upgrade.
Introduction
The IBM Lotus Notes
and
Domino 8.5 Upgrade Workshop Proof of Technology (PoT) provides a hands-
on experience for those needing to explore the new features in version 8.5 and prepare for a successful
upgrade
This Proof of Technology (PoT) is designed to demonstrate the capabilities of IBM Lotus Notes and
Domino. Participants will receive a hands-on experience of the Notes Client, Domino Administrator, and
Domino Designer.
Requirements
You will need a Workstation with the VMware image for Notes Domino 8.5 Upgrade Workshop PoT
Icons
The following symbols appear in this document at places where additional guidance is available.
Icon
Purpose
Explanation
Important!
This symbol calls attention to a particular step or command.
For example, it might alert you to type a command carefully
because it is case sensitive.
Information
This symbol indicates information that might not be necessary
to complete a step, but is helpful or good to know.
Trouble-
shooting
This symbol indicates that you can fix a specific problem by
completing the associated troubleshooting information.
Page
4
Notes and Domino 8.5
IBM Software
Lab 1
Evaluating DAOS with Mail Files
The purpose of this lab is to demonstrate the new capabilities of the New Lotus Domino Attachment and
Object Service (DAOS). After completion of the lab, workshop participants will be able to observe the
reduction in disk space needed when sending the same attachments to multiple users on the same
server.
There are other dimensions to DAOS (such as administration and backup) that are outside the realm of
this exercise.
After completing this exercise you should be able to:
1.
Configure a Domino 8.5 server for DAOS
2.
Validate if a Domino server is configured for DAOS
3.
Enable a set of Notes 8.5 mail files to use DAOS
4.
Observe the result of enabling DAOS in reducing the disk space consumed
1.1
Observe disk space utilization without DAOS
First we will look at the impact that sending of attachments has on the size of mail databases before the
Domino Attachment and Object Service is enabled.
1.1.1
On disk, evaluate the size of the mail files in the Domino 8.5 server's mail folder.
__1.
Open Windows Explorer and navigate to the
c:\Lotus\Domino\data\mail
directory and note the
size of the current mail files.
Lab 1
Page
5
IBM Software
1.1.2
Send a memo with a large attachment to 3 test users
__1.
Make sure the Domino server is running. If it's not, start the Domino server by double-clicking
on the Domino Server icon on the workspac
e
.
If prompted, start Domino as an application, not
a service. This applies to all labs.
__2.
Open the Notes client. Use the location for
Natalie
. Lotus password is “
passw0rd
” (note the
zero instead of “o”)
__3.
Open Natalie's mail file and create a new memo.
__4.
Attach

the file
DAOSLab-File1.ppt
located in
c:\LabFiles\DAOS
__5.
Send the memo to Dan Misawa, Ling Shin and Samantha Daryn.
__6.
Right-click on the attachment and select Attachment Properties. Note the length of the file.
__7.
After the mail message has been sent, evaluate the mail file sizes with Windows Explorer again.
1.2
Enable DAOS on the Domino Server
In this step we will enable and configure the Domino Attachment and Object Service.
1.2.1
Configure the server to use the 8.5 ODS for new databases
__1.
Open Windows Explorer and navigate to the
c:\Lotus\Domino
directory.
__2.
Right-click on the
notes.ini
file and select “
Open

__3.
If not already there, Add the following string

at the end of the file:
Create_R85_Databases=1
__4.
Save and close the file.
Page
6
Notes and Domino 8.5
IBM Software
1.2.2
Enable transaction logging for the Domino server
__1.
Open the Domino Administrator client if not already open. Use the “
Admin
” location with
username of
sadmin/demoibm
and password of “
passw0rd
”.

(If the Notes client was still
running, you won't get prompted for a password when the Administrator client starts. Switch to
the
Online – Admin
location and log in after it launches.)
P
ress
Cancel
if you get prompted to
log on to instant messaging.
__2.
Edit the Server document for the
Domino85/demoibm
server. The “Server” in the upper left
area of the Admin client should say Domino85/IBMDemo. If it doesn't, pull down the
File
menu
and select
Open Server
. Choose
Domino85/demoibm
from the resulting drop-down list and
click OK.
Lab 1
Page
7
IBM Software
__3.
Click the
Configuration
tab and expand the section for
Server
. Click
Current Server
Document
in the expanded section, then click the
Edit Server
button in the action bar.
Page
8
Notes and Domino 8.5
IBM Software
__4.
Navigate to the “
Transaction Logging
” tab.
__5.
In the “
Basics
” section, change “
Transaction Logging
” to “
Enabled
” - a message will display
advising you to place the log files on a separate drive. This is not necessary for our test
environment – click on “
Yes
”.
__6.
Set the maximum log space to 2000MB.
__7.
Accept all other default settings
__8.
Save and close the server document
1.2.3
Restart the Domino server
__1.
Using the Domino server console, enter a “
restart server
” command. You will see console
messages reflecting the change.
Troubleshooting
It may appear that the server is hung – give it a minute or
two as these changes can take a few minutes to
process..
Lab 1
Page
9
IBM Software
1.2.4
Enable DAOS on the Server
__1.
Edit
t
he server document again, but this time navigate to the new “
DAOS
” tab
__2.
Toggle the field for enabling DAOS to “
Enabled

__3.
Accept the default minimum object size and DAOS base path (the
Domino\data\DAOS
directory)
__4.
Save and close the server document.
__5.
Restart the Domino server again.
__6.
Once the Domino server is restarted, you should now see a DOAS folder beneath the data
folder on the Domino server (via Windows Explorer).
Page
10
Notes and Domino 8.5
IBM Software
1.2.5
Using the Domino server console, enter a “show server” command to observe
that the command reports the status of DAOS. It should look like the following
screen capture:
1.2.6
Enable DAOS on all users' mail files – even existing ones.
__1.
Open the Domino server console
__2.
Enter the following command “
load compact mail -c -daos on

__3.
This will perform 2 functions – updates the application's ODS and activates the use of DAOS.
You will see it recovering disk space in the mail files.
Note
There are other approaches for enabling DAOS, but this
is the most efficient way to perform both steps.
Lab 1
Page
11
IBM Software
1.3
Validate DAOS Results
Similar to what we did in the first step, we will check mail database sizes in the changed environment,
i.e. with the new Domino Attachment and Object Service running.
1.3.1
Evaluate the disk space reported now that DAOS has been enabled
__1.
Open Windows Explorer and navigate to the
c:\lotus\domino\data\mail
directory. Note the
disk space utilized – you should see a dramatic difference in the size of the mail files.

You
might need to refresh the view to pick up the new file sizes.
1.3.2
Send a large attachment to see how DAOS reacts
__1.
Log into the Notes client as Natalie Olmos again and create a new memo with a large
attachment.
__a.
Use the file
DAOSLab-File2.ppt
located in
c:\LabFiles\DAOS
__b.
Send the message to Dan Misawa, Ling Shin and Samantha Daryn
__2.
Notice that a new
.nlo
file is created in the
lotus\domino\data\daos\001
directory.
__a.
Notice the disk space of the mail files the message was sent to.
Page
12
Notes and Domino 8.5
IBM Software
1.3.3
Validate the database size being reported
__1.
Open the Domino Administrator client. Use the “
Admin
” location with username of
sadmin/
demoibm
and password of “
passw0rd
”.
__2.
Make sure you are connected to the
domino85/demoibm
server.
__3.
Go to the “
Files
” tab and select the “
Mail
” folder to look at the size of the mail files.
__4.
Notice the difference between the “
Logical Size
” and the “
Physical Size
”.
Again, you m
ight
need to refresh the view here to get things to display properly. Press F9 on your keyboard to
refresh the Notes view.
Troubleshooting
If the Logical sizes still don't look right after a view
refresh, open a mail file, close it, then refresh the view
again. The Domino server doesn't calculate the logical
size of a database until it's been opened, so if you
haven't opened any mail files, then the logical sizes might
be off. In a real-world environment, users are always
opening their mail files, so this won't be a concern.
1.4
Summary
__1.
In this lab, the workshop participant has examined the new features of DAOS and has
successfully completed the new feature review.
Lab 1
Page
13
IBM Software
Lab 2
ID Vault and Shared Login
The purpose of this lab is to demonstrate the new capabilities of the Notes ID Vault and Notes Shared
Login features.
After completion of the lab, the workshop participant will be able to understand the benefits, functionality
and operation of the two features both individually and when implemented together.
2.1
Part One - Notes ID Vault
The Notes ID vault is an optional, server-based database that holds protected copies of Notes user IDs.
An ID vault allows administrators and users to easily manage Notes user IDs. Users are assigned to a
vault through policy configuration, and copies of user IDs are uploaded to a vault automatically once the
policy has taken effect.
The Notes ID vault has the potential to replace time-consuming, expensive ID file and password
recovery systems. Instead of administrators having to send out physical copies of ID files to new users,
the ID files can be automatically downloaded from the vault when the user first logs into their Notes
client.
Administrators can provide instructions in the Notes login window for users who have forgotten their
passwords, with either contact details or a link to a self-service password reset application
If ID files are lost or damaged, users are not hindered because copies of the IDs can be immediately
downloaded from the vault when users provide the correct passwords.
In addition, tasks involving the ID file, such as ID file synchronization, ID renames, and ID key roll-overs,
no longer require any user involvement and can automatically be handled by the ID vault, reducing
complication and saving time.
The "Auditor” function can be used to extract ID files for legal discovery or access to encrypted data,
potentially preventing the loss of valuable information.
2.1.1
ID Vault creation
In this step we will use the Domino Administrator client to create and configure a Notes ID Vault
__1.
Start the Domino server from the desktop icon.
__2.
When the server has started, start the Domino Admin client from the desktop icon.
__3.
Login as
sadmin
with password
passw0rd
.
__4.
Press
Cancel
when prompted to log on to instant messaging
__5.
Close the Welcome Screen
__6.
Switch to the
Configuration
tab
Page
14
Notes and Domino 8.5
IBM Software
__7.
Select
Create
from the ID Vaults section in the
Tools
navigator
__8.
Click
Next
on the Create and Configure Notes ID Vault page
__9.
Enter “Demo” for the Notes ID Vault name and description and click
Next
Lab 2
Page
15
IBM Software
__10.
Enter “
passw0rd
” as the Vault ID password and click
Next
Note
A vault ID will be created in the Notes client data
directory location as indicated. This ID will be required
for certain vault operations such as creating and
removing vault replicas and should be secured in the
same way as a certifier ID.
__11.
Accept
Domino85/demoibm
as the vault server – this is the server on which the vault will be
created - and click “
Next

__12.
Accept
sadmin/demoibm
as the vault administrator – this is the person who will have physical
access to the vault, will be able to add or remove other vault administrators and delete IDs from
the vault - and click
Next
__13.
On the Organizations dialog, click
Add or Remove
, select
/demoibm
- only IDs certified with
this certifier will be able to be uploaded to the vault - and click
Add
and then
OK
and
Next
__14.
For the names that are authorized to reset passwords select
sadmin
and
Natalie Olmos
and
click
Add
and then
Next
Page
16
Notes and Domino 8.5
IBM Software
__15.
For the policy assignment, select
Create a new policy assigned to specific people or groups
and click
Next
Note
An efficient way to deploy the ID vault could be to create
a new policy assigned to a home server. This will result
in an auto-populated group being created which will keep
its membership in sync with the set of users whose home
server is selected. However, this involves waiting for
server background processes to populate the group and
to update certain hidden views in the Domino Directory.
For the purposes of this lab it is easier if we work with
individual users.
Lab 2
Page
17
IBM Software
__16.
On the “
Select People
” screen, click the
Add or Remove
button and select
sadmin
, click
Add
,
OK
and then
Next
__17.
Add some text in the
Forgotten Password Help Text
dialog and click
OK
Page
18
Notes and Domino 8.5
IBM Software
__18.
Verify your selections and select
Create Vault
__19.
The vault creation process will begin and you will be prompted to enter the location of the
certifier.
__20.
Click on the
Certifier ID
button and navigate to
C:\Lotus\Notes\Data\IDs\cert\cert.id
and click
OK
__21.
When prompted enter “
passw0rd
” as the password
__22.
The vault should be created and a summary dialog displayed.
__23.
Click
Done
to close the dialogReview end result of ID Vault Creation
__24.
Switch to the
Files
tab in the Domino Administrator client
__25.
Select the
IBM_ID_VAULT
folder. This view shows the database that has been created to store
and manage the Notes I
d
s
Troubleshooting
If the IBM_ID_VAULT folder is not in the folder list press
F9 to refresh the view
__26.
Open the Demo database and look at the three views
__a.
The
Vault Users
view should be empty – this is because no IDs have yet been uploaded
to the vault.
__b.
The
Vault Servers
view shows us the single server on which we have deployed the
vault. If we were to create replicas of the vault on other servers, those servers would
then be listed here.
__c.
The
Inactive User Ids
view should also be empty – this view would show us any IDs
that were stored in the vault but were no longer in use within our environment – for
example those for users who have left the organization.
Lab 2
Page
19
IBM Software
__27.
Open the ACL of the vault database.
(
File menu -> Application -> Access Control)
Notice that the only IDs who have any access to the server are the vault administrator and the
server on which the vault is deployed. All other entries in the ACL are set to have No Access.
Notice also the Auditor role. This has not been assigned to any ID yet. We will be looking at
this feature later in the lab so to save having to come back later, we will enable it now.
__28.
Highlight
sadmin/demoibm
in the ACL and click on the
Auditor
role.
__29.
Click on
OK
and then close the Demo vault database.
__30.
Switch to the
Configuration
tab.
__31.
Expand the
Security
section of the navigator to see a new section here for
ID Vaults
.
__32.
Click on
ID Vaults
to see the directory entry for the ID Vault that we just created.
Notice that the ID Vaults
Manage
and
Delete
tools now become available in the
Tools
navigator. The vault administrator can use these tools to amend the configuration of the ID
vault or remove it from the domain.
Page
20
Notes and Domino 8.5
IBM Software
__33.
Expand the
Certificates
section and click on the
Certificates
view
.
Collapse everything, either
with the menu selection, the toolbar button, or the “Shift-” keyboard shortcut.
__34.
Expand the
Password Reset Certificates
and
Vault Trust Certificates
sections.
__35.
These are the certificates that were created during the vault deployment process
__a.
Notice that there are two password reset certificates – one for
Natalie Olmos
and one
for
sadmin
. The
Password Reset Certificates
show that these two users are certified
to reset passwords for IDs that have been certified by
/demoibm
__b.
Notice that there is a single vault trust certificate between
/demoibm
and
/Demo
. This
shows that the Demo vault is certified to store IDs that have been certified by
/demoibm
__c.
Switch to the
People & Groups
tab, click on
Settings
in the navigator
Lab 2
Page
21
IBM Software
__d.
Open the
DemoVaultSetting Security Settings

document
and click on the
ID Vault
tab.
This is the policy security setting that was created during the Vault deployment
process.
__e.
Notice that by default “
Allow automatic ID downloads
” is set to
Yes
. This means that a
user can download the ID as many times as they need after initial registration, a
password reset or an ID recovery action. If this field is set to “No”, administrators can
restrict the number of times an ID can be downloaded and for how long the ID is
available for download. Notice also that, by default, the user will be prompted to change
their password after a password has been reset.
Page
22
Notes and Domino 8.5
IBM Software
__36.
Close the Settings document.
__37.
Still in the
People & Groups
tab, click on
Policies
in the navigator.
__38.
Open the
DemoVaultPolicy.
This is the policy that was created during the Vault deployment -
notice that this is set to use the
DemoVaultSetting
security setting. Notice also the new
Policy
Assignment
tab. In Domino 8.5, users and groups can be assigned to explicit policies (instead
of explicit policies being individually assigned to users through the person document).
__39.
Click on the
Policy Assignment
tab and you should see the entry for
sadmin
.
2.1.2
Process for Existing User
In this step we will review how the IDs are uploaded into the vault for existing user accounts – i.e:
accounts that were already in existence when the vault was created. During the vault creation we
created a policy and assigned it to a home server group for the server. Therefore the policy applies to
our administration user and the next time the user logs in, the Notes ID should be uploaded to the vault.
__1.
Close down any Notes or Domino Administrator client that you currently have open.
__2.
Launch the Notes 8.5 client and select
Online – Admin
as the location.
__3.
Enter the password “
passw0rd
” and click
Login
__4.
Watch the status bar and you should see the message indicating that the Notes configuration
has been refreshed.
Lab 2
Page
23
IBM Software
__5.
Select
File > Security > User Security
from the menu
__6.
Enter the password “
passw0rd
” again
__7.
In the
Your Login and Password Settings
section you should see the message indicating that
the ID has been backed up into the vault.
Troubleshooting
It may take some time for the policy to be invoked.
During that time, the field highlighted above will be not
appear. If this happens, try manually forcing the policy.
To do so, open the Domino Directory on Domino85/
demoibm then open the person document for “sadmin”
and put it into edit mode. On the Administration tab, go
to the “Assigned policy” field and enter
/DemoVaultPolicy. Save and close the person document
then restart the Notes clie
nt
, and try the steps again. If
that doesn't work, just wait a while. Proceed with the lab
section “Process for new users”, and check back on this
step later. Notes may not upload the ID file immediately.
Page
24
Notes and Domino 8.5
IBM Software
__8.
Click
OK
to close the dialog and launch the Domino Administrator client from the
Open
menu
__9.
From the
Files
tab, select the
IBM_ID_VAULT
folder and open the Demo database.
__10.
You should see a single record in the
Vault Users
view indicating that
sadmin
's ID has been
uploaded into the vault.
__11.
Open the record to see the entry along with the encrypted ID file.
Note
Although you could save a copy of the attached file in this
document it could not be used as a Notes ID file. The
only way to extract a working ID file from the vault is to
use the Domino Administrator tools.
Lab 2
Page
25
IBM Software
2.1.3
Process for new users
In this step we will review how the Notes ID vault can manage the distribution of Notes IDs to new users.
__1.
Make sure that you are logged into the Domino Administrator with the
sadmin
ID and switch to
the
Configuration
tab
__2.
Select
Registration > Person
from the
Tools
menu
__3.
You should be prompted for the password for the
/demoibm
certifier.
Enter “
passw0rd
” as the
password and click
OK
__4.
Enter the details for a new user as follows:
First Name
New
Last Name
User1
Password
passw0rd
Explicit Policy
/DemoVaultPolicy
Create Notes ID for this person
Checked
__5.
Check the
Advanced
checkbox so that the other options are displayed.
Page
26
Notes and Domino 8.5
IBM Software
__6.
Click on the
ID Info
tab and make sure that “
In Domino Directory
” and “
In file
” are not
checked as locations for storing the user ID.
Notice that, as a result of selecting the DemoVault policy, the location “
In Notes ID vault
” has
been automatically selected and cannot be deselected.
__7.
Click the green tick in the bottom right corner to add New User1 to the registration queue.
__8.
Return to the
Basics
tab and perform the same steps to create a second user “
New User2

__9.
Select
Register All
to register the users and create the mail files and Notes IDs
__10.
Click
OK
to the “People registered successfully prompt” and then
Done
to close the dialog box.
__11.
Switch to the
Files
tab and open the Demo Vault again (
IBM_ID_VAULT\demo.nsf
). You
should see the new entries for New User1 and New User2 with their encrypted IDs attached.
Your admin ID might be here by now. If it is, go back up and complete that step, then come
back here.
__12.
In order to see what happens when a new client is configured, we will need to simulate a new
client installation. Close down any Notes or Administrator client that you currently have open.
__13.
Double-click on the Domino85 Computer icon on the desktop and navigate to the
C:\Lotus
\Notes
directory.
__14.
Locate the
notes.ini
file and open it with notepad.
__15.
Delete all the lines below
InstallType=2
but make sure that you leave the cursor on the line
below the last line of text when you save the document.
__16.
Then navigate to the
C:\Lotus\Notes\Data
directory and rename the
names.nsf
file to
names-
old.nsf
– Don't delete the original file as we will re-instate this later.
__17.
Start the Lotus Notes client and you will see the Lotus Notes 8.5 Client Configuration dialog you
would expect if you were starting an unconfigured client for the first time.
__18.
Click
Next
on the first page
Lab 2
Page
27
IBM Software
__19.
Enter “
New User1
” for
Your name
and “
Domino85/demoibm
” for the
Domino server
and click
Next
__20.
You should then be prompted for the user's password. Since the ID file has not been saved
anywhere except in the ID vault, the configuration process must be communicating with the ID
vault.
__21.
Enter “
passw0rd
” for the password and click
Login
__22.
Click
Next
on the
Additional Services
dialog and the client should start up.
__23.
Select
File > Security > User Security
from the menu and enter the password again and you
should see the dialog indicating that you are using an ID that has been backed up into the vault.
2.1.4
Re-instate original NAMES.NSF
Before we go any further we will re-instate the original NAMES.NSF as this contains location documents
for our users which match their user IDs with their mail files and ensure that, as we switch user
identities, we pick up all the correct user settings.
__1.
Close down any Notes or Domino Administrator client that you currently have open.
__2.
Double-click on the Domino85 Computer icon on the desktop and navigate to the
C:\Lotus
\Notes\Data directory
__3.
Rename the
names.nsf
file to
names-new.nsf
__4.
Rename
names-old.nsf
to
names.nsf
__5.
Restart the Notes client
Page
28
Notes and Domino 8.5
IBM Software
__6.
Select
Online – Admin
location document.
__7.
Enter password “
passw0rd

__8.
We will create a new location document for
New User1
to make it easy to switch to the
appropriate Notes settings.
__9.
Select
File > Preferences
from the menu
__10.
Click on
Locations
__11.
Highlight the
Online-Admin
location and click
Copy
__12.
Edit the copied location document
__a.
On the
Basics
tab, change the location name to “
Online – New User1

__b.
On the
Basics
tab, change the Internet mail address to “
nuser1@demoibm.com

__c.
On the
Mail
tab, change the mail file to “
mail\nuser1.nsf

__d.
On the
Advanced
tab, change the user ID to “
C:\Lotus\Notes\Data\user.id

__e.
Click
OK
to save the changes
__f.
Switch to the
Online - New User1
location and log in to test it.
2.1.5
User Forgets Password
In this step we will review what happens when a user forgets their password. For the purposes of this
exercise we will imagine that New User1 has forgotten their password and rings the HelpDesk to get the
password reset. Remember that we gave Natalie Olmos the rights to reset passwords during the vault
creation process. In this step Natalie, will reset the password for New User1
__1.
Close down any Notes and Domino administrator client that you currently have open.
__2.
Start Lotus Notes and select
Online – New User
as the location.
Lab 2
Page
29
IBM Software
__3.
Click on the “
Forgot your password
” link.
Notice that the text shown is the text we entered as the help text during the vault configuration
process.
__4.
Switch to the
Online – Natalie
location and login with password “
passw0rd

__5.
Open the Domino Administrator client from the
Open
menu
__6.
Close the
Welcome
page
__7.
Click on the
People & Groups
tab and then the
People
viewNavigate to
New User1
's person
document and with the document highlighted in the view select
ID Vaults > Reset Password
from the
Tools
navigator on the right side of the screen.
Page
30
Notes and Domino 8.5
IBM Software
__8.
In the
Reset User's Password
dialog, enter a new password eg: “
r
esetPassw0
rd
1

and click
the
Reset Password
button.
__9.
When you receive a message indicating that the password has been successfully reset, click
OK
.
__10.
Close the Domino Administrator clien
t
and the Notes client.
__11.
Now let's login as
New User1
again.
Launch the Notes client and
s
elect the
Online – New
User1
location.
__12.
Enter the new password “
re
setPassw0r
d
1
”. As specified in the policy, because the password
has been reset, you are now prompted to change the password to one of your own choosing.
__13.
Change the password back to “
passw0rd

2.1.6
User changes password
In this step we will review what happens when a user changes their password on one copy of their ID.
First we will create a separate copy of New User1's ID to simulate the use of the Notes client on a
second computer. Then we will change the password on one copy of the ID and observe what happens
when we switch to the other copy of the ID.
__1.
Close down any Notes or Domino Administrator client that you currently have open.
__2.
Double-click on the Domino85 Computer icon on the desktop and navigate to the
C:\Lotus
\Notes\Data
directory
__3.
Locate the file
user.id
__4.
Create a copy of the file and name it
user1.id
__5.
Start the Lotus Notes 8.5 client
__6.
Select the
Online – New User1
location
Lab 2
Page
31
IBM Software
__7.
Enter the password “
passw0rd
” and click Login
__8.
Select
File > Security > User Security
from the menu and enter the password again.
__9.
Click on the
Change Password
button.
__10.
Enter the current password again (“
passw0rd
”) and click
Login
__11.
Enter a new password – eg: “
newpassw0rd
” and click OK
__12.
Click
OK
on the “Your password change succeeded” dialog and click
OK
to close the
User
Security
dialog. As part of the password change process, the changed password information
has been synchronized with the ID vault record.
__13.
Select
File > Security > Switch ID
__14.
Navigate to
C:\Lotus\Notes\Data
select
user1.id
and click
Open
__15.
Enter “
newpassw0rd
” as the password and click
Login.
Notice that you are able to login with
your new password even though you did not change the password on this copy of the ID file.
__16.
Select
File > Security > Switch ID
again and switch back to the original
user.id
file.
2.1.7
ID becomes corrupted or lost
In this step we will review how recovery from a corrupted ID can be achieved. In the case of corruption,
the affected user ID would need to be deleted from the data directory so that a new ID could be
downloaded.
__1.
Shut down any Notes or Domino Administrator clients that are currently open.
__2.
Double-click on the Domino85 Computer icon on the desktop and navigate to the
C:\Lotus
\Notes\Data directory
and d
elete any user ID files – user.id, user1.id, user-old.id, that are here.
Do
NOT
delete any ID files that are in subdirectories of the Data directory.
__3.
Restart the Notes client
__4.
Select the
Online – New User1
location and enter “
new
pa
ssw0rd
” as the password.
Page
32
Notes and Domino 8.5
IBM Software
__5.
Even though there was no user ID present you were seamlessly logged into Notes because the
correct password was entered allowing a new copy of the ID to be downloaded to your client
from the vault.
__6.
Check the
C:\Lotus\Notes\Data
directory and you will see a new co
py of
the user ID has
be
en
created.
2.1.8
Auditor Feature
In this step we will review how an auditor can be configured to get access to a user's ID without their co-
operation or knowledge. In order to perform this, a user must both be a vault administrator and have the
Auditor role configured in the ACL. When we were reviewing the ID Vault configuration, we assigned the
Auditor role to sadmin. In this step we will use sadmin's ID to download a copy of New User1's ID and
use it to login to Notes where sadmin would then be able to access any data encrypted by or for New
User1. To show this we will first send some encrypted mail to New User1.
__1.
From the bottom right corner of the client, select the
Online – Natalie
location.
__2.
Enter “
passw0rd
” as the password and click
Login
__3.
Open Natalie's mail file from the
Open
menu
__4.
Select
New Mail
and complete as follows
__a.
Enter “
New User1
” in the
To:
field
__b.
Enter “
An example of encrypted mail
” as the
Subject
__c.
Enter “
This mail has been encrypted

Lab 2
Page
33
IBM Software
__d.
Click on “
Delivery Options
” in the Action bar, check the
Encrypt
check box under
Security Options
and click OK.
__5.
Send the email.
__6.
From the bottom right corner of the client, select the
Online – Admin
location and enter the
password “
passw0rd

__7.
Open the Domino Administrator client from the
Open
menu.
__8.
Switch to the
People & Groups
tab and click on the
People
view.
__9.
Highlight the person entry for
New User1
Page
34
Notes and Domino 8.5
IBM Software
__10.
From the
Tools
navigator, select
Extract ID from Vault from the ID Vaults
section.
If the ID was being extracted so that a physical copy can be given to the user, and the vault
administrator performing the task did not have the Auditor role, the current password for the ID would
have to be supplied here. This means that either the user would have to have given the administrator
the current password or the administrator would have had to have reset the password to something that
he/she would then know. In either of these cases, the user would be aware an activity had been
performed against their ID.
As
sadmin
has the
Auditor
role, a password does not need to be supplied in this dialog.
__11.
Click
OK
without supplying a password.
__12.
Enter
user-audit.id
as the file name and click
Save
The administrator is then prompted to supply a new password for the new ID copy.
Note
This password is for this copy of the ID only and does not
affect the copy in the vault and therefore no copy in use
by the user.
__13.
Enter a new password of “
auditpassw0rd
” and click
OK

First let's prove that although the administrator has access to New User1's mail file
(LocalDomainAdmins have Manager access to all mail files) the ID is not able to read the
encrypted mail that was sent from Natalie.
Lab 2
Page
35
IBM Software
__14.
Switch to the
Files
tab
__15.
Open the file
mail\nuser1.nsf
__16.
Open the email sent from
Natalie
.
You should see the message indicating that the document is encrypted and not intended for you.
__17.
Click
OK
. Notice that t
he email opens but you are not able to read the contents.
__18.
Close
New User1
's mail file
__19.
Close the Domino Administrator client.
__20.
Select
File > Security > Switch ID
from the menu
__21.
Navigate to the
C:\Lotus\Notes\Data
directory and select
user-audit.id
__22.
Enter the password “
auditpassw0rd

__23.
Select
File > Open > Lotus Notes Application
__24.
Select
Domino85/demoibm
as the server
__25.
Navigate to the
New User1
mail file in the mail directory.
__26.
Open the mail file and the encrypted document. Note that you can now see the contents of the
mail message.
__27.
Select the
Online – New User1
location.
__28.
Login with
New User1
's password “
newpassw0rd
” and notice that this is still valid and does not
require changing.
If you open New User1's mail file you will notice that the encrypted mail message now shows as having
been read. In a real audit scenario, it is more likely that a copy of the required application would be
made so that any action by the auditor would not be visible to the users.
2.1.9
User leaves the organization
In this step we will show what can happen in the situation where a user leaves the organization but their
ID needs to be securely retained for audit or information retrieval purposes. We need to use our New
User1 identity in the next exercise so in this step we will remove the account of New User2.
Page
36
Notes and Domino 8.5
IBM Software
__1.
Switch to the
Online – Admin
location.
__2.
Open the Domino Administrator client.
__3.
Select the
People & Groups
tab and then the
People
view
__4.
Locate
New User2
's person record
__5.
From the
Tools
navigator, select
Delete
from the
People
section.
Note the option to mark the ID as inactive but keep in the vault.
Lab 2
Page
37
IBM Software
__6.
Leave all the settings as default and click
OK
.
__7.
Switch to the
Files
tab and open the Demo vault database. Notice that the
New User2
's record
is no longer in the
Vault Users
view.
__8.
Click on the
Inactive User IDs
view and you should see the
New User1
's ID record.
2.1.10
Audit Trails and Logs
In this step we look at how the various actions on the vault and the IDs within it are recorded.
__1.
Switch to the
Files
tab and open Domino85's log (
log.nsf
)
__2.
Click on the
Security Events
view
__3.
Open the document(s) in this view
Page
38
Notes and Domino 8.5
IBM Software
You should be able to see all the key vault associated activities including
__a.
Vault Creation
__b.
Upload of ID to the vault (note that this activity is not well recorded yet – where you see
an “Unable to find ID... Error: Entry not found in index” message directly before an “ID
successfully synchronized with vault” message for the same user, this is an indication
that the ID has been uploaded. Log entries for this activity will be improved in the next
release.)
__c.
Download of ID from the vault
__d.
Password change (recorded as ID synchronization)
__e.
Password reset
__f.
Auditor download of ID from the vault
2.1.11
Summary
In this section of the lab we looked at the new Notes ID Vault feature. We deployed an ID vault and
investigated what was involved in uploading ID files from existing users as well as storing ID files in the
vault during new user registration. We also explored some of the common ID-related tasks associated
with the ID vault such as managing password changes across multiple IDs, resetting forgotten
passwords, managing auditor access to IDs and deleting users from the organization. Finally we looked
at the audit trail recording the various vault-related activities.
2.2
Part Two - Shared Login
Notes shared login allows users to start Lotus Notes and use their Notes IDs without having to provide
Notes passwords. Instead, they only need to log in to Microsoft Windows using their Windows
passwords.
This is not the same mechanism as Notes single login, a feature that was introduced in a previous
version of Notes. Notes single login was a method of synchronizing the Windows and Notes
passwords, Notes shared login removes the need for a Notes password altogether.
Enabling an ID for Notes shared login alters it so the ID works only on the computer on which the feature
is activated. This is because the feature relies on a Windows security infrastructure specific to that
computer.
With Notes shared login users only need to remember their Windows passwords and administrators are
not required to manage Notes passwords or assist users who have forgotten their passwords because
there are no longer Notes passwords to manage!
Notes shared login works without interruption when Windows passwords are changed either by users or
by administrators on a Windows domain controller.
2.2.1
Configuring Notes Shared Login
In this step we will configure and enable Notes Shared Login
__1.
Start Lotus Notes (if not already started)
Lab 2
Page
39
IBM Software
__2.
Select or switch to
Online - Admin
location
__3.
Enter password of “
passw0rd

__4.
Select
File > Security > User Security
from the menu
__5.
Enter password of “
passw0rd
” again.
Note the option to login to Notes using the operating system login is greyed out. This is because this
feature is disabled by default.
__6.
Close the dialog and open the Domino Administrator client.
__7.
Switch to the
People & Groups
tab and select
Settings
__8.
Open the
DemoVault
settings document. Since Notes ID vault and Notes Shared Login can
work together we will configure them through the same policy.
__9.
Select the
Password Management
tab and then the
Notes Shared Login
tab.In this lab we
are going to configure Notes Shared Login to be turned on by default and not allow the user to
change this.
__10.
Select
Edit Settings
from the Action bar
__11.
Configure the tab as follows:
Enable Notes shared login with operating system
Yes
How to apply this setting
Set value whenever modified
Allow User Changes?
No
How to notify users when enabled
System dialog
How to notify users when disabled
System dialog
Page
40
Notes and Domino 8.5
IBM Software
__12.
Click
Save & Close
in the action bar
__13.
Close both the Notes and Domino Administrator clients
__14.
Start Lotus Notes client.
__15.
Select
Online – New User1
as the location document and enter “
new
pa
ssw0rd
” as password.
__16.
Within a minute you should get a message pop-up as follows.
Troubleshooting
If the message does not appear after a short while – try
starting up the Domino Admin client – this may kick it into
action
__17.
Click
OK
to close the message.
__18.
Select
File > Security > User Security
from the menu
Notice that you are no longer prompted for your Notes password as you try to access a secured area of
the client. Instead you are prompted for the operating system password of the Windows account with
which you are logged in.
Lab 2
Page
41
IBM Software
__19.
Enter the windows password for
sadmin
which is “
passw0rd
” and click
Login
Notice that the options under Your ID Settings have changed. The option to login to Notes using the
operating system login is now selected and not greyed out and the option for synchronizing your Notes
password with your HTTP password and suppressing password prompts from other Notes-based
programs are no longer displayed. Neither of these are compatible with Notes Shared Login as there is
no longer a password associated with the Notes ID that you are now using with the Lotus Notes 8.5
client.
__20.
Restart the Notes client and notice that you are no longer prompted for a password.
2.2.2
Creating password-protected copy of ID
Once Notes Shared Login has been enabled, the ID cannot be copied via operating system mechanisms
and used on another client. Enabling an ID for Notes shared login alters the ID so that it only works on
the computer on which the feature was activated. This is because the feature relies on a Windows
security infrastructure specific to that computer. In this step we will show how a user can create a copy
of their ID for use on another client.
__1.
Select
File > Security > User Security
from the menu and enter the windows password

passw0rd
”.
__2.
Click on the
Copy ID
button.
Page
42
Notes and Domino 8.5
IBM Software
__3.
Save the new copy in the same directory as the original ID with the file name
user-newcopy.id
Note that you are now prompted to set a password on this new copy to protect it during the transfer to
another computer.
__4.
Click
OK
to close the message dialog
__5.
Set a password of “
copypassw0rd
” and click
OK
__6.
Click
OK
again on the dialog confirming the creation of the password protected ID
__7.
Click
Close
to close the
User Security Settings
dialog.
Because we no longer have a Notes login prompt we don't have the opportunity to select a location on
Notes client start-up. To re-instate a prompt we have to switch to a new location and then shut down the
Notes client.
__8.
Switch to the location
Online – Samantha

__9.
Enter “
passw0rd
” as the password and click
Login
.
__10.
Then close down the Notes client.
__11.
Restart Notes.
__12.
Leave the location selected as
Online – Samantha
but click on the arrow next to the user
identity and select “
Other

Lab 2
Page
43
IBM Software
__13.
Navigate to the
C:\Lotus\Notes\Data
directory and select
user-newcopy.id
and click
Open
__14.
Enter the password “
copypassw0rd
” and click
Login.
Note that although New User1 won't be
directed to the correct mail file when using this location, we won't be using mail in this step and
this anomaly should not matter.
__15.
After a short while you should see the message telling you that Notes Shared Login has been
implemented for this new ID copy.
__16.
Before exiting the Notes client make sure that you switch back to the
Online – New User1
location.
2.2.3
NSL and ID Vault
Even though there is now no Notes password associated with the ID, it is still possible to store the ID
securely in the vault. In this step we will show how the ID is still secured. With the Notes ID Vault we
showed how it was possible to resolve an ID corruption by removing the affected file and downloading a
new copy from the vault. This worked as long as we entered the correct password for the ID in the vault.
Let's see what happens now that we don't have a password associated with our ID.
__1.
Shut down any Notes or Domino Administrator clients that are currently open
__2.
Double-click on the Domino85 Computer icon on the desktop and navigate to the
C:\Lotus
\Notes\Data
directory.
__3.
Rename the
user.id
file to
user-old2.id
__4.
Restart the Notes client
Note that, because the client cannot locate the ID file, it has returned you to the login dialog. If the user
can remember the password that was set on the ID at the time that Notes Shared Login was enabled,
they can enter this or, if not, they will need to contact the HelpDesk to have the password reset.
__5.
Enter the password “
new
passw0rd
” and click
Login
You should login successfully and within a short while Notes Shared Login will be re-enabled.
2.2.4
Disabling Shared Login
In this step we will demonstrate what happens when Notes Shared Login is disabled.
Page
44
Notes and Domino 8.5
IBM Software
__1.
Start the Lotus Notes client (if not already started)
__2.
Switch to the
Online – Admin
location
__3.
Open the Domino Administrator client.
__4.
Switch to the
People & Groups
tab and select
Settings
__5.
Open the
DemoVault
setting and change to the
Password Management > Notes Shared
Login
tab.
__6.
Edit the policy settings document and set
Enable Notes shared login with operating system
to “
No

__7.
Close the Domino Administrator
__8.
Switch the location to
Online – New User1
and then close the Notes client.
__9.
Restart the Notes client.
You should be logged in without being prompted for a password as Notes Shared Login is still enabled
at the moment
__10.
After a short while you should get a message popup as follows.
Troubleshooting
As before, if the message does not appear after a short
while – try starting up the Domino Admin client.
__11.
Click
OK
and you will be asked to verify your Windows identity
__12.
Enter “
newpassw0rd
” as the password and click
OK
__13.
Finally you are prompted to enter a new password.
__14.
Enter “
newpassw0rd
” as the password and click
OK
Lab 2
Page
45
IBM Software
__15.
You should then see the following dialog indicating that Notes Shared Login is now disabled
and you will need to use a password with your ID from now on.
__16.
Restart Lotus Notes and note that you are now prompted for your password again.
2.2.5
Summary
In this section of the lab we looked at the new Notes Shared Login feature. We enabled the feature and
investigated how multiple IDs could be managed and how the feature works with the Notes ID vault.
2.3
Summary
In this lab, the workshop participant has examined the new identity management features introduced in
Notes/Domino 8.5 and has successfully completed a review of both the Notes ID vault and Notes Shared
Login.
Page
46
Notes and Domino 8.5
IBM Software
Lab 3
Lotus Protector
The purpose of this lab is to explore the capabilities of the Lotus Protector product and its interactions
with the Domino server environment. We will be using the VMware-based implementation of Protector,
which can be downloaded from the Lotus Developer Works site at
http://www.ibm.com/developerworks/
lotus
but this means that we will need to be running both VMware images concurrently.
If you are currently running the Domino server VM in full-screen mode (there are no window controls
visible in the upper-right corner, and you can only see the “Lotus Notes & Domino” desktop, you need to
exit full-screen mode.
Ctrl-Alt
is the keystroke shortcut for doing this. You should now see a toolbar at
the top, with window control icons on the right. Mouse-over each to see the description, and click the
center one for
Iconify the Window
. VMware should now be running in a traditional window, with menu-
and toolbars at the top.
File -> Open
and navigate to and open the
Lotus_Protector_for_Mail_Security.vmx
virtual machine.
The Domino VM should disappear (don't worry, it's still running) and the Settings screen for the Protector
VM should appear. The settings that you see have been modified slightly from the standard download
so that things will work in this environment. Power up the VM by pressing the green power button in the
tool
.
Lab 3
Page
47
IBM Software
Note
The instructions and screenshots listed in chapter 3.1 are
included for reference purposes only and are actually not
an interactive part of this lab exercise. The first steps to
be carried out by the PoT attendants start with chapter
3.2, which also includes detailed instructions on what to
do with the additional Lotus Protector VMware.
3.1
Reference for initial configuration
The initial configuration steps for protector are not very interesting, but they are time-consuming due to
the amount of data that needs to be downloaded. They have been done for you here, and this series of
screenshots and explanations have been included for reference.
3.1.1
Initial boot
When the Protector VM first starts up, you'll eventually see a login screen indicating that the VM is in an
unconfigured state. Log in using “admin” as both the username and the password.
Page
48
Notes and Domino 8.5
IBM Software
You'll get the HTTP authorization screen next, which is pre-filled with
admin/admin
.
Tab
twice to
navigate to and highlight
OK
and press
Enter
. Review the Welcome screen and press
Enter
to
proceed.
Lab 3
Page
49
IBM Software
Next, we need to configure a hostname for the image. Use
Backspace
to delete the existing text, then
replace it with
protector.demoibm.com
and
tab
to
Next
and press
Enter
. In the real world, this name
will probably be whatever is published as the DNS MX record for your organization (mail.company.com)
Page
50
Notes and Domino 8.5
IBM Software
On the Network Configuration screen,
Tab
to
Next
and press
Return
to leave the selection at
DHCP
. In
the real world, you must use a static IP for a mail exchange host.
For the DNS servers, leave the selection on
Automatically Configure
and
Tab
to
Next
and press
Enter.
Lab 3
Page
51
IBM Software
Next, set up a password for the Linux root user. Use
passw0rd
.
Page
52
Notes and Domino 8.5
IBM Software
Next is the admin password, which is used for the Web Management Interface. Select the box for
“Same as root” by highlighting the field (if it isn't already) and pressing the
SpaceBar
, then proceed.
Lab 3
Page
53
IBM Software
Finally, review the settings and select
Next
.
Page
54
Notes and Domino 8.5
IBM Software
Finally, press
Escape
to exit the setup process and return to the login screen. Protector is now
configured enough to access the network, but not enough to do any real work. Log in as root, with the
password that you selected, and enter
ifconfig eth1
at the command prompt.
Lab 3
Page
55
IBM Software
Note the newly assigned address,
inet addr:

192.168.18.134
in this case. Switch to a client PC and
start a browser that has a JRE (Java Runtime Environment) installed. Naviage to the https address of
your Protector VM. The browser may you give you a certificate error. Ignore this, and proceed to the
site. Login with admin and your password. If you're told that someone else is already connected, selet
the option to disconnect the other user. If you get a Java security warning, select the option to always
trust content from this publisher and click
Yes
. Log in again with “admin” and your password. This will
take you to the initial setup assistant.
Page
56
Notes and Domino 8.5
IBM Software
Click
Next
to begin, and then agree to the License Agreement and the Export Restrictions. This will
take you to the Configuration Methods screen, where you can choose to exit the assistant and continue
manually, should you so desire. Click
Next
on this screen to continue with the assistant. If you have
license keys, their installation is next.
Lab 3
Page
57
IBM Software
After you've uploaded the keys, you'll get a verification screen.
The password configuration screen is next. Passwords were already selected during the console
configuration, but this screen gives you a chance to change them.
Page
58
Notes and Domino 8.5
IBM Software
Network configuration is next which, again, we did in the console configuration steps. Click
Next
again
to get to the SMTP configuration tab. This is where we start getting to the “real” configuration of
Protector.
For the
root domain
, we've used
demoibm.com
to match the Domino server environment. And we've
changed the postmaster address to
sadmin@demoibm.com
so that errors will go to the Domino
Administrator's account.
For
Local Domains
we've entered
demoibm.com=192.168.18.131
but this will need to be changed
later to match your individual network settings. This is the internal machine(s) that Protector will route
inbound mail TO.
Lab 3
Page
59
IBM Software
The rest of the options on this screen can be left as-is, and you can click
Next
. For Alerts, we've
selected everything to be sent to
sadmin@demoibm.com
and specificied the IP address of the server.
Again, this is specific to our environment, so you should use settings here that are appropriate for yours.
Time information is next...
Page
60
Notes and Domino 8.5
IBM Software
That takes care of the initial setup. Click
Finish
.
Click
Continue
when you're informed that the configuration is complete.
Lab 3
Page
61
IBM Software
The management console will automatically go to the Updates page, where it will display an error for the
Content Filter Database. If you have an internet connection, click the
Update
button to connect to IBM
and download the current filtering database.
Your appliance will not work without this database.
(Technically, it will work – it just won't mark anything as spam unless there is a specific rule for it.) This
update could take a while. Take a break while the updates load. (This is why we're not doing this as part
of the live lab for the Proof of Technology.)
The update will download and self-install. That covers the initial configuration of Lotus Protector, and
what has been done to the VM to prepare for the following lab.
3.2
Configuring Domino for SMTP
First, we have to prepare the VMware image for the Domino server. We will then start Domino and make
sure the proper tasks are running.
Page
62
Notes and Domino 8.5
IBM Software
__1.
If you are currently running the Domino server VM in full-screen mode (there are no window
controls visible in the upper-right corner, and you can only see the “Lotus Notes & Domino”
desktop, you need to exit full-screen mode.
Ctrl-Alt
is the keystroke shortcut for doing this. You
should now see a toolbar at the top, with window control icons on the right. Mouse-over each to
see the description, and click the center one for
Iconify the Window
. VMWare should now be
running in a traditional window, with menu- and toolbars at the top.
__2.
Pull down the
VM
menu and select
Settings
. You'll see a new window displaying the settings
for the virtual machine
Lab 3
Page
63
IBM Software
__3.
Verify that the
Network Adapter
is set to
NAT
, as shown. If it is, click the
Cancel
button. If it's
not, change it and click the
Save
button.
__4.
Open a command prompt window (use the icon on the desktop) and type
ipconfig /release
followed by
ipconfig /renew
. Make note of the resulting IP address. In this case, it's
192.168.18.131
. Note the ip address of your system here:
domino85.demoibm.com ____________________________
Page
64
Notes and Domino 8.5
IBM Software
__5.
If Domino is running, restart it by typing
restart server
in the console window. If it's not
running, launch it as an application using the desktop icon.
__6.
V
erify that the SMTP task is started – you will see messages as the server loads, or after the
server is running, you can issue the
show tasks
command from the console and check that
SMTP is loaded and running.
__7.
After you have started the server, start the Notes client. The sadmin userid and online location
should be selected, and you should be prompted for the password, which is
passw0rd
.
__8.
O
pen the demoibm directory database names.nsf – the Name and Address book for the server.
From the People view, open the person document for Natalie Olmos. Note that her mail server
is
domino85/demoibm
and her internet address is
nolmos@demoibm.com
__9.
We are going to send Natalie a test email through SMTP, to ensure that routing is working. To
do this, we're going to telnet directly to the listening SMTP port 25 on the Domino server and
manually create and send an email message. Switch over to your command prompt window,
and type
telnet domino85.demoibm.com 25
.
You should see a greeting banner – if not,
press
Enter
once and you should see this:
Lab 3
Page
65
IBM Software
__10.
The next step of an SMTP conversation involves greeting the server. You can either say “helo”
or use the newer, extended format of “ehlo” (extended hello). Once you say hello, you should
get an acknowledgement. Some SMTP servers will follow this with a list of commands that they
understand. Type
ehlo domino85.demoibm.com
__11.
Now, we write the message. First, identify the sender. You don’t really need to use an actual
userid, but if you want to get failure messages, it would be helpful. (Using someone else’s email
address means they will get any error messages. This is why sometimes you might get
messages that are obviously aimed at spammers.) Type
mail from:
<
sadmin@demoibm.com
>
and press
Enter
. Be careful typing, as deleting an error with the
Backspace key will send characters that SMTP doesn't understand, and will error out the
session. You should get a response as shown:
Page
66
Notes and Domino 8.5
IBM Software
__12.
If you get the
OK
response, you next specify the recipient.
To have a valid test, this should be
a valid user on the mail server (otherwise, it can’t be delivered.) You can specify a user on
another mail server entirely, and some servers will forward the message on. This is known as
an open relay and it is the basis of spam generation. Open relays are evil. By default, Domino
mail servers are not an open relay. Type
rcpt to: <
nolmos@demoibm.com
>
and press
Enter
.
__13.
Now the server knows who the message is coming from, and where it's going. Next,
it’s time to
actually send the message itself. The message body starts with the “data” command followed
by an
Enter
keystroke
, and ends with a period (“.”) on a line by itself. You can enter anything
you like in the body. You will not see any acknowledgements from the server until you enter the
period to close the message. As you might expect, pressing
Enter
generates a new line in the
telnet session.
Lab 3
Page
67
IBM Software
__14.
Once you
enter the period, you should see an acknowledgement of the message, and it is
routed. If you can watch the console of your Domino server, you should see the message
received and routed (assuming you sent it to a valid user.)
__15.
Bring up the Notes client, switch to the
Natalie-Online
location, and verify that the new mail
message has been received.
__16.
Quit the telnet session by entering the
Ctrl-]
keystroke combination. That should bring you
back to a
Telnet>
prompt, and you can then type
quit
to return to a normal command prompt.
__17.
One final step before we switch over to further configuration of Protector – we need to ensure
that LDAP is running. In the command-prompt window again, type
cd c:\Lotus\Notes
to
change in to the Notes program directory, then type
ldapsearch -h domino85.demoibm.com
uid=sadmin
. You should get the person record echoed on the screen. If so, LDAP is
configured properly and is running.
Page
68
Notes and Domino 8.5
IBM Software
3.3
Lotus Protector Configuration
__1.
Leave the Domino VM running, and do a
File -> Open
in the VMWare window. Navigate to and
select the Lotus_Protector_for_Mail_Security.vmx file, select it, and click the
Open
button.
Verify that Network Adapter 2 is set to NAT, and then power up the VM by clicking the “geen
arrow” toolbar button. At the login prompt, log in as
root
with the password of
passw0rd
. Type
ifconfig eth1
and press enter to get IP address information for the Protector Server. In this
example, it's 192.168.18.134. Note the IP address here:
Protector.demoibm.com ___________________________
Lab 3
Page
69
IBM Software
__2.
You'll need to make some modifications to the Protector settings to match the IP configuration
of your lab setup. Switch back to the Domino VM by pulling down the
Tabs
menu in VMWare
and selecting the Domino VM. Start IE and navigate to https://
your.protector.IPaddress
.
Acknowledge any security warnings, allow the installation of any software, and login with the
credentials of
admin/passw0rd
. If you get a notification that the admin session is locked, click
the button to terminate the other session and proceed. You'll land on the Protector homepage.
Page
70
Notes and Domino 8.5
IBM Software
__3.
The tabs across the top should show all green status lights, with the exception of Updates,
which will probably be yellow red, depending on how out-of-date the installed configuration
database is. No worries about that for now. Expand the
SMTP
section and select the
Configuration
subsection.
Lab 3
Page
71
IBM Software
__4.
On the
Global
tab, verify that the
Root Domain
is set to
demoibm.com
, and that the first three
listed email addresses are
sadmin@demoibm.com
. You can change the last two to match, if
you'd like, but it's not important right now. Then click the
Receiving SMTP
tab and scroll down
so that you can see the
Local Domains
section.
__5.
The only local domain that should be listed is
demoibm.com
. The IP address listed in the
Mail
Server
column may not match that of your Domino85 server, as noted earlier in section 3.2 step
4. If it doesn't, click the row entry for demoibm.com and then click the pencil icon to edit the
entry. Enter the proper data, then click
OK
and then click the button for
Save Changes
.
Page
72
Notes and Domino 8.5
IBM Software
__6.
Next, lets actually set up some mail security rules. Expand the
Mail Security
tree entry and
select
Policy
. The selected tab should be
Settings
and the selected subtab should be
Rules.
These are the rules that are executed as mail is processed. There are a couple of rules that we
will use to test our installation.
Uncheck Tag Spam
. Rather than tagging spam, we are going
to send any spam detected to a quarantine.
Check Quarantine Spam
.
It makes little sense to
tag and quarantine, so a site will generally do one or the other.
Check MyMail
.
This is a test
rule that marks any mail that has “MyMail” in the subject line. Your screen should match this
when you're done. Click the
Save Changes
button.
Lab 3
Page
73
IBM Software
__7.
Click the
User Access List
subtab.
Change the
Default Access Mode
to
Granted and click
the

Save Changes
button.
This allows all users to view their quarantine from a web browser.
__8.
Next, we configure Protector to connect to the Domino LDAP server. Click on
Policy Objects
in the left-hand menu tree and then click the
Directories
tab. Select the
Domino Example
Domain
in the list and click the Pencil icon to edit it.
Page
74
Notes and Domino 8.5
IBM Software
__9.
On the Edit screen, click the checkbox next to
Active
and change the name to
DemoIBM
. For
the
Host
field on the
LDAP Server
tab, enter the IP address of your Domino server. Enter
sadmin
for the
username
and then click the
Enter Password
button. Enter
passw0rd
in both
fields, and click
OK
to close the window and then
Save Changes
.
Lab 3
Page
75
IBM Software
__10.
Next, click the
Who
tab and then click the plus icon to add an entry. Make sure that the
Active
checkbox is selected, and add
DemoIBM
in the
Name
field. Change the
Type
to
Directory
and
then choose
DemoIBM
in the drop-down.
Page
76
Notes and Domino 8.5
IBM Software
__11.
Click
OK
and then
Save Changes
, then select
Verify Who Objects
in the left-hand menu.
Leave the selection of
All Who Objects
and click the
Submit
button.
__12.
Everything should check out as
OK
.
Lab 3
Page
77
IBM Software
__13.
Now, we can route mail through Protector. Switch to your command-prompt window and start
another telnet session, but this time, connect directly to the Protector server.
Telnet
protector.server.IPaddress 25
and “greet” the server with an
ehlo protector.demoibm.com
__14.
mail from: <
sadmin@demoibm.com
>
and
rcpt to: <
nolmos@demoibm.com
>
Page
78
Notes and Domino 8.5
IBM Software
__15.
data
followed by an
Enter
keystroke, then
Subject: test message through protector
followed
by another
Enter
keystroke. Add in whatever message data you like, and close the
communication with a
.
character.
__16.
Repeat the process, but this time include the text
MyMail
somewhere in the subject line of the
message. This will trigger the rule that you enabled earlier.
__17.
If Protector sees an email message with a subject containing “MyMail” it will re-write the subject
line, starting it with “MyMail found in”. Switch to the Notes client and Natalie's location, and
open mail. You should see the messages that we just sent, with the re-written subject line on
the MyMail message.
Lab 3
Page
79
IBM Software
__18.
It may take a few minutes for everything to route through. If things seem stuck, go back to the
Protector web console, expand
SMTP
, and select the
Queue Browser
. Check each queue for
“stuck” messages and check the log details for each one for troubleshooting purposes.
Page
80
Notes and Domino 8.5
IBM Software
__19.
The last step, once routing is working through Protector, is to lock down the Domino server so
that it won't accept SMPT mail from other sources. From the Notes client, switch to the Admin
location and open names.nsf on Domino85/demoibm. Expend the
Configuration
section,
expand
Servers
, and click the
Configurations
subsection.
__20.
Edit the configuration document for the Domino85 server. (In the real world, you'd edit the
config doc for All Servers, but it takes a while for those changes to apply to other servers, and
we don't want to wait, so we'll edit the Domino85 config doc directly.)
__21.
Click the
Router/SMTP
tab, then the
Restrictions and Controls
tab, then the
SMTP Inbound
Controls
tab. Scroll down to the
Inbound Connection Controls
section.
In the
Allow
Connections only from the following SMTP internet hostnames/IP addresses
field, enter
the IP address of your Lotus Protector appliance.
Lab 3
Page
81
IBM Software
__22.
Click the
Save and Close
button, then restart the Domino server by typing
restart server
in the
console window, followed by a
Return
keystroke.
__23.
Once the server is back up, switch to your command prompt again and
telnet
domino85.demoibm.com 25
__24.
ehlo domino85.demoibm.com
__25.
mail from: <
sadmin@demoibm.com
>
should give you an error message back.
__26.
Now that everything is working, let's do some more work with rules.
Rules are defined in the
Mail Security section, under Policy. Open the management console at
https://
protector.server.name
and you should see
Mail Security
as the second option in the menu.
Expand it, and select
Policy
. There are a number of predefined rules that ship with the product.
Two are contradictory – Tag Spam and Quarantine Spam. If the
Tag Spam
rule is activated, all
mail determined to be spam has its subject changed to mark it as spam. The mail is then
delivered to the recipient. This saves space on the Protector appliance, since mail is not saved
– it is delivered. If the
Quarantine Spam
rule is activated, mail determined to be spam is saved
in the quarantine folder on the appliance. Mail in the quarantine is deleted on a timer. It makes
no sense to tag spam and then quarantine it, as well. Make sure only one of these rules is
active at any given time.
__27.
You can create custom rules to handle specific situations in your enterprise. In this example we
will write a rule to tag all mail that comes from IBM. To create a new rule, press the plus sign on
the rules panel (all the buttons are on the top right row.) For the name, enter
Mail from IBM
.
You may also enter a comment to describe the rule.
Page
82
Notes and Domino 8.5
IBM Software
Rules all have the same basic options:

Pre Conditions
are conditions that are met before the mail begins processing – the
defaults are “spam detected” and “binary detected.” Our IBM rule has no pre-
conditions.

Senders
define who sent the mail. If you are trying to identify mail by source, this
would be the portion of the rule you would use. You can verify that the sender is in
your Domino Directory or that it is a valid email address. To do matching, you would
use an analysis module (below.)

Recipients
define who receives the mail. If you are filtering by source (say all the mail
to the marketing department), this would be where that condition is defined.

Whens
defines a time period during the day when this rule is in effect. This probably
only makes sense for outbound mail – spam can arrive at any time!

Analysis Modules
define the modules used to filter the mail. These can be standard
modules included with the appliance, or you may create your own. We will create our
own for the IBM rule.

Responses
define what happens when the rule conditions are met. If the mail passes
the tests, the response is applied.

Action
determines what happens next. After the rule completes, mail can be “allowed”
which sends it on, “blocked” which quarantines it, “continue” which continues to the
next rule or left blank, which deletes the mail.
__28.
For our rule,
we will check the sender with an Analysis Module and define a Response. Right-
click in the box under Analysis Modules. We will add new analysis modules, so select that
option from the menu. (Later, you can edit your modules, if need be.)