Serious issue when signing a database in the background on the server

While working with the cAPI, I ran into a nasty problem with signing design elemnts in an application on the server with a different ID than the server ID.
This seems only to be a problem with XPages related design elements.
When you try to open an XPage from that database in the browser, you will get a 403 Error message.
When I sign the same database from the client with the same ID using Ytria SignEZ, everything works as expected.

Other elements are not affected. So forms, views, agents and script libraries are signed correctly. Well, don’t get me wrong, even XPages are signed correctly, but they just do not work any longer after signing.

So, how do I sign a database in the background on the server with a different ID?

Here is, what I do. The ID is stored as an attachment in a configuration document. The file is detached at runtime to a temporary directory outside the Domino installation path. The code opens the file and returns a handle to the ID

if ( NOERROR != SECKFMOpen(&hKFC, 
                SECKFM_open_All, 0, NULL))

An XPage is defined by NOTE_CLASS_FORM and DESIGN_FLAG_XSPPAGE, so later in the code, we have to open the note EXPANDED

ret = tnote.open1(tdb.hDb, nid, OPEN_EXPAND);

Finally, the design note is signed using NSFNoteSignExt3

ret = NSFNoteSignExt3(
      tnote.h, hKFC, NULL, MAXWORD, NULLHANDLE, 

and contracted afterwards

ret = NSFNoteContract( tnote.h );

To verify, if anything is wrong with the signature, I use

ret = NSFNoteVerifySignature (
      tnote.h, 0, 0, retSigner, retCertifier);

So far, so good. As I said before, the code runs without any issues and the verification also does not report any errors.

At ConnectED, I went to the “Meet the Developers Lab” and asked for advice. The problem seems not to be in my code, but the Devs had a vague idea, what might be the problem.
I did some tests today and here is what I found out.

When you sign a design element using the client, The last entry in the $UpdatedBy field is the name of the signer.
When you do the same on the server, then the server’s name is the last name in the list.
Hence it is different from the name that is stored in the $Signature field, the error occurs.
This also explains, why I can open XPages that have been signed using my code and the server ID instead of the signer ID. In this case, names in $UpdatedBy and $Signature are identical.

As far as I can see, there is no workaround for that. So the only way to get this solved is to open a PMR with IBM …

How to determine, if a shared library is loaded on AIX

Recently, I had to figure out, if a shared library on an AIX system was loaded at Domino server startup. I am not an expert on UNIX, so I asked GOOGLE for some help.

I came across the UNIX command genkld, whic did exactly what I wanted to do

genkld will create a list that is printed to the console that shows all loaded shared libraries


You can find more useful information about “Shared library memory footprints on AIXhere


Remove Windows SP1 Backups To Free Up Disk Space

I recently installed SP1 on a Windows 2008 R2 Server. The partition for the OS only had 10GB space available. After SP1 had been successfully installed, only 7GB of free space was left.

You can delete the backup files if SP1 has been installed without any issues.

Use the following command to free up disk space after the service pack installation:

dism /online /cleanup-image /spsuperseded


The process takes a few minutes to complete, it ends with the sentences “Service Pack Cleanup operation completed. The operation completed successfully”.

Please remember that you cannot uninstall the service pack after you have cleaned up the disk space.

Add ProFTPD to ESXi 5.1

Uploading files to an ESXi datastore ist terrible slow using the build-in upload mechanism. However if you add FTP to your ESXi server, and use an ftp client to upload/download files, the upload/download will be much faster.

ProFTPD runs good in ESXi 5.x and offers high transfer rate over normal transfers.

To add ProFTPD Service, do the following.

Enable SSH in ESXi.

  • Connect to your ESXi host
  • Goto Configuration
  • Goto Security Profiles
  • Click on Properties
  • Select SSH from the list of services
  • Click Options end start the service

Connect to your ESXi host using any ssh client like putty.
Navigate to your datastore folder  cd /vmfs/volumes/datastore/
[Replace “datastore” to match your datastore name]

Create any folder where your FTP Service files can be downloaded from the internet or any other source.

mkdir install
cd install

Now download ProFTPD using wget


install ProFTPD using esxcli

esxcli software vib install --no-sig-check 
-d /vmfs/volumes/datastore/install/

I needed to restart the ESXi system to activate ProFTPD in the Security Profiles.

Forcing a localized vSphere Client or vSphere Web Client installation to launch in English

My vSphere Client starts with a german User Interface. Obviously, the language depends on the OS language. In my cas, it’s German …

To be able to provide screenshots with english labels and error messages in a way, that I can find results on Google more easily. I was looking for a way to switch the language of my vSphere Client to English.



There is no setting in the UI itself, but here is a little trick, how it can be done without pushing language files around like in the pre WW1 days.

Simply add one of the following parameters to the start parameter of the vSphere Client desktop icon

  • English: en_US
  • German: de_DE
  • Japanese: ja_JP
  • Simplified Chinese: zh_CN
  • French: fr_FR
  • Korean: ko_KR

"C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe" -locale en_US

You can do the same with your web based client.

Th switch the language to French, simply add the language parameter to the URL



consoleEZ – new tool from YTRIA

Ytria’s consoleEZ lets you improve the way you work by giving you access to one or several IBM Domino server consoles in one dashboard.

In fact with consoleEZ, you can:

  • Get a complete picture of your domain activities without having to switch from one server to another.
  • Open several sessions for as many servers as you need, apply filters, and select/copy anything you see in the consoles.
  • View past events with the Log Analyzer, filter and search them, and consolidate your data with various options.


You can download a time limited beta version here.



OpenNTF: TriggerHappy 2.0 (Update)

TriggerHappy 2.0 for Domino on Linux has been released on OpenNTF. It is still BETA and not intended to be used in production.
For now, I only provide the 32Bit version, because despite the 64Bit Version compiles and links, it freezes my server on startup.

The 32Bit version starts without issues, but invokes NSD on server quit and restart. Will look into that, but with Connect 2014 just around the corner, I do not have much spare time to do so.


If anyone is willing to offer help and could review the sourcecode ( Ben? Nathan?, Daniel? ) … Much appreciated.


OpenNTF: TriggerHappy 2.0

18.01.2014 14:07:11 TriggerHappy initially started on Domino 9.0.1 LINUX/64Bit

Still having a smallish issue when the agent is started. Seems to be a problem with Thread Local Storage implementation. Looking for assistance.

If anyone is willing to look into the code, I will send it. Ping me an email if you want to help.


As of Notes 9.0.1, you can now control the date column in the mailfile preferences to automatically sort ascending or descending.  (


The option can also be set via the notes.ini


A value of 11 displays the most recent message at the end of the view (the default) and 12 displays it at the beginning of the view.

Build cAPI Programs On Linux/64

Today I built a compile and build environment for Domino 9.0.1 on Linux 64Bit. I had done this for 32-Bit Linux a while ago and all the steps for 32Bit also work in a 64Bit environment.

There is only one symlink you have to add in addition to the symlinks you have to create on 32-Bit

ln -s $Notes_ExecDirectory/ /usr/lib64/

where $Notes_ExecDirectory=/opt/ibm/domino64/domino/notes/latest/linux in my environment


Titanium Studio – ‘Failed to create the Java Virtual Machine’

I recently installed Titanium Studio on my PC. On first startup, I received the following (pretty useless)  error message …


To get more information about the error ( and the cause ), you can start TitaniumStudio.exe from the command prompt with the -debug switch


After more searching and testing, I changed a parameter in the titaniumstudio.ini from

-Xmx1024m to -Xmx512m

Now Titanium Studio starts without any complaint …


Compacting Databases With DBMT

Starting with IBM Domino 9.0, DBMT has been introduced. You can use the DataBase MainTenance tool for performing multiple daily/weekly administrative tasks on user’s mail database files. The DBMT tool relieves the administrator of the need to run the Updall task.
When DBMT is executed, it uses the copy-style compact (compact -c ) to compact databases. Compact -c has the disadvantage of fragmenting files and this can have an impact on the performance of your server.

But DBMT behaves a bit different here. DBMT preallocs the .TMP file to the used space size of the .NSF.

I did a test on my server. Here is the result.

Unfortunately, the “old” compact task itself does not yet have the preallocation feature included. I hope, that we will see this feature in a future release …

Administration Help and DBMT in 9.0.1

If you are already familiar with DBMT, you might be aware of this;  if you are new to DBMT, you can save some time reading this article

DBMT is a new feature in Domino 9.0 that allows you to configure the regular maintenance options that you are familiar with to run automatically on schedule to keep your databases running smoothly. There are a lot of options that are described in the Administration Help Database

But, the Administration Help is wrong in one particular case:

“Specify any additional system databases using the notes.ini variable DBMT_FILTER. Separate entries in the list either by a space ( ), a comma (,) or a semi-colon (;). The names are case-insensitive and are relative to the data directory.

The correct name for the variable is DBMT_COMPACT_FILTER

Even after upgrading to 9.0.1, you will find this incorrect entry in the help.


deviceBean in Notes / Domino 9.0.1

Starting with version 9.0.1 of IBM Notes / Domino,a new managed bean called the deviceBean is  introduced within the XPages run-time to provide an easy to use and easy to program way of identifying a popular range of mobile and tablet devices directly within ServerSide JavaScript or Expression Language (EL) computed expressions.

So, instead of using

<xp:text escape="true" id="computedField2"

you can use EL in your XPage

<xp:text escape="true" id="computedField1"

Read all about this new bean in the “What’s new in IBM Domino Designer 9.0.1 Social Edition?” section of the IBM Notes Designer Help

ODS52 available in Notes & Domino Release 9.0.1

This new ODS prevents data corruption that can occur only under very rare certain circumstance for medium and strong encrypted databases. A temporary solution has already been built into  8.5.3 and 9.0.

Starting with 9.0.1, the issue has been fixed permanently.

Once a Notes Client or Domino Server has been upgraded to 9.0.1, set CREATE_R9_DATABASES=1 in and the next copy style compact of the database will upgrade the database to ODS52 and the encrypted databases will no longer be exposed to this very rare corruption.


Thanks, Bruce

Thank you Bruce for all you have done for the (Lotus) Notes community and for giving OpenNTF to us in 2001.


I remember that day back in 2007 in Dublin, when I first met you in person at ILUG. We have met a few times on other events since then, and I hope to (perhaps) see you as a speaker at the EntwicklerCamp conference in 2014.

Good luck to you for all your future plans!!

Toolbars are missing after upgrading to Notes 9

After you have successfully upgraded your client to IBM Notes 9, you will no longer see any toolbar when using the IBM Social Theme.


You might also have checked “File\Preferences\Toolbars” and found all your toolbars there: all of them enabled and visible.

In IBM Notes 9, there is a new setting that is activated by default: “Show Toolbars Only When Editing”


Uncheck it and your toolbars will re-appear, yeah!


I am invited! The IBM Leadership Alliance Conference

A couple of days ago, I received a mail asking me to join Alistair Rennie (General Manager, IBM Collaboration Solutions ) at the sixth annual IBM Leadership Alliance conference, October 23rd – 25th, at the Fairmont Copley Plaza, Boston, Massachusetts.

The conference has it’s focus on IBM’s newest collaboration capabilities and solutions. IBM will share the latest on  strategy and technical direction, from Application Development and Social Integration, to Mobility and Messaging & Collaboration. Content shared during this meeting will include IBM confidential information that will be governed by the terms of the confidentiality agreement between IBM and each attendee. So do not expect any post about what will be presented at this invitation only event.

Hotel and flight is already booked. Public transportation seems to be fairly easy in Boston. And the hotel and venue is close to Boston Logan International Airport

I’ll be doing a webinar in October

Howard Greenberg from TLCC invited me to present a webinar in October.  I’m looking forward to working with Howard. So, if you do not have / had the opportunity to attend a LUG near your location and you want to know, how to find the bottlenecks in your XPages and make them lightning fast, you are invited to our webinartlccwebinar