Thursday, 25 October 2012

Lotus Domino - For a change ….

This article outlines a couple of potentially useful tips for Lotus Domino administrators.

Whilst helping a friend debug a problems with the import of a WebSphere LTPA token into Domino, I "discovered" two useful (to me) things: -

Remote Console

Firstly, when running a remote Domino server, it's nice to be able to access the console at your desktop, rather than needing to walk across the floor to the server. In my case, the Domino server is running on a Red Hat Enterprise Linux 6.3 VMware image on my Lenovo Thinkpad ( which is running Ubuntu 12.04 ) on my desk in Hursley - which is about 25 miles from where I'm sitting.

Now there are various ways to get access to the Domino console ( especially when the server is running on Linux ), not least of which is to start the server within a terminal session: -

$ /local/notesdata/DomShrct.sh

or: -

$ cd /local/notesdata
/opt/ibm/lotus/bin/server

So, here's a third way to get the console working, in a GUI :-)

This requires an X11 tunnel to be created between the client PC ( on which the X11 server actually runs !! ) and the target server.

cd /local/notesdata
/opt/ibm/lotus/bin/server -jc

The -jc option is the thing that starts the Java Console, which is then tunnelled back from the server to the client, and the command returns: -

Domino Server Controller started at 25/10/12 12:18.
Host name is localhost/127.0.0.1
Listening for connect requests on TCP Port:2050

Domino Console started at 25/10/12 12:18.
localAdmin connected from localhost/127.0.0.1 at 25/10/12 12:19.


etc.

More importantly, an X11 window pops up with the console contained within


Along with the File menu shown above, there's also some useful functionality on the Edit menu: -


and the View menu: -


So you now have another choice for the Domino console, along with the terminal and the nice-but-limited Web Administrator ( http://wp7.uk.ibm.com/webadmin.nsf ).

LTPA Token Import Debugging

As per this IBM Technote: -


this message is rather annoying: -


So Domino 8.5.X has a solution - the Domino configuration parameter - debug_ltpa_key_import=1 - which SHOULD provide some rather useful debug output when importing an LTPA token - as per the Technote's examples: -

Successful import of WAS key:

01/14/2009 03:35:48.33 PM [1208:0002-1274] LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\lotus\waskeys
01/14/2009 03:35:48.34 PM [1208:0002-1274] LtpaImportWSKeyFile> Successfully read file to memory
01/14/2009 03:35:48.34 PM [1208:0002-1274] LtpaImportWSKeyFile> Successfully imported WebSphere LTPA keys from file


Bad Password given for WAS key:

01/14/2009 03:36:29.81 PM [1208:0002-1274] LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\lotus\waskeys
01/14/2009 03:36:29.81 PM [1208:0002-1274] LtpaImportWSKeyFile> Successfully read file to memory
01/14/2009 03:36:29.81 PM [1208:0002-1274] LtpaDecryptKey> Error as decrypted key has invalid padding
01/14/2009 03:36:29.81 PM [1208:0002-1274] LtpaEncodeData1> Error processing, phase 2
01/14/2009 03:36:29.81 PM [1208:0002-1274] LtpaImportWSKeyFile> Error processing key file contents, phase 3


Invalid or Nonexistent PATH specified:

01/14/2009 03:36:58.32 PM [1208:0002-1274] LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\waskeys
01/14/2009 03:36:58.32 PM [1208:0002-1274] LtpaImportWSKeyFile> Failed to open file at path c:\waskeys for reading

Sadly, at least for me, I couldn't work out precisely where this debug is supposed to appear - I'd assumed the Domino console ( see above ).

However, having set the parameter, and tested by importing a token using a Notes client against the server's names.nsf, whilst I did get "Error importing WebSphere LTPA keys. Check file path and password", I did NOT see anything else on the Domino console or in the log.nsf file.

I'm not the only person to have noticed this - I also see a forum posting here: -


I've raised a PMR with IBM Support, and will update this post when I find out more.

*UPDATE* My contact in IBM Support did point out my obvious mistake - the Technote requires that  debug_ltpa_key_import=1 be set in the CLIENT notes.ini rather than on the SERER. Doh!

Sadly, this didn't seem to make any difference, and I've fed this back to L2. Will see with what he comes back.

**UPDATE #2** So, I now have this working - three things to note: -

(a) As mentioned before, the  debug_ltpa_key_import=1 statement needs to be set in the notes.ini file on the Notes client - I was using Notes 8.5.3 FP1 Basic (nlnotes.exe) on Windows XP SP3
(b) There needs to be at least one Carriage Return/Line Feed character AFTER the parameter e.g.

...
NSF_HOOKS=NLNVP
SelectNamesDialogSize=189,828,155,518,
NameAddressingDlgLastViewName=0,List by name

debug_ltpa_key_import=1



...
(c) The output is written to the Notes client's console.log file - for me, this was located here: -

C:\lotus\notes\data\IBM_TECHNICAL_SUPPORT

( for the record,  notes.ini is in C:\lotus\notes 'cos I hate Windows path names that include space characters - C:\Program Files\ - I'm looking at you ... )

This is what the LTPA debug stuff looks like: -

Incorrect file name / path

[0408:0002-0D8C] 31/10/2012 10:13:15.84 LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\foobar.key
[0408:0002-0D8C] 31/10/2012 10:13:15.84 LtpaImportWSKeyFile> Failed to open file at path c:\foobar.key for reading


Incorrect password

[0408:0002-0D8C] 31/10/2012 10:16:30.76 LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\temp\bpm_ltpa.key
[0408:0002-0D8C] 31/10/2012 10:16:30.78 LtpaImportWSKeyFile> Successfully read file to memory
[0408:0002-0D8C] 31/10/2012 10:16:30.78 LtpaDecryptKey> Error as decrypted key has invalid padding
[0408:0002-0D8C] 31/10/2012 10:16:30.78 LtpaEncodeData1> Error processing, phase 2
[0408:0002-0D8C] 31/10/2012 10:16:30.78 LtpaImportWSKeyFile> Error processing key file contents, phase 3


Successful import

[0408:0002-0D8C] 31/10/2012 10:16:55.90 LtpaImportWSKeyFile> Importing WebSphere LTPA keys from file at path c:\temp\bpm_ltpa.key
[0408:0002-0D8C] 31/10/2012 10:16:55.90 LtpaImportWSKeyFile> Successfully read file to memory
[0408:0002-0D8C] 31/10/2012 10:16:55.90 LtpaImportWSKeyFile> Successfully imported WebSphere LTPA keys from file


As ever, shiny :-)

6 comments:

Darren Duke said...

Or.....to see the console natively on the Linux server, use the incredibly useful scripts from Daniel Nashed:

http://www.nashcom.de/nshweb/pages/startscript.htm

Dave Hay said...

@Darren, yes, you're absolutely right, and I did find and blog about Daniel's scripts a wee while back: -

Automagically starting Domino on Linux

Thanks for your comment.

NotesSensei said...

I have a toolbar button in my Notes client (works on all platforms):

@Command([AdminRemoteConsole])

Dave Hay said...

@Stephan - thanks for the suggestion, definitely worth a look, regards, Dave

Dmitrijus said...

Thank you very much
You help me with LtpaToken import
I spent full day to find solution.
But You did not mention, that LtpaToken must be copied to local drive, and path must be to the local directory
Dmitrijus

Dave Hay said...

@Dmitrijus - thanks for your feedback, glad it helped :-)