fighting for truth, justice, and a kick-butt lotus notes experience.

IBM Technote: Apple iOS 12 Mail, Calendar and Contacts fail to sync if HTTP Basic Authentication is not properly configured

 18 September 2018 20:40:25
IBM published a new Technote today, regarding issues with Traveler and iOS 12 devices, when HTTP Basic Authentification is not properly configured

Image:IBM Technote: Apple iOS 12 Mail, Calendar and Contacts fail to sync if HTTP Basic Authentication is not properly configured

Apple iOS 12 Mail, Calendar and Contacts fail to sync if HTTP Basic Authentication is not properly configured

Flashes (Alerts)


Starting with Apple iOS 12, native Mail, Calendar and Contacts applications fail to sync if HTTP Basic Authentication is not properly configured.


Starting with Apple iOS 12, native Mail, Calendar and Contacts applications fail to sync if HTTP Basic Authentication is not properly configured.

Prior to Apple iOS 12, the device would send the HTTP Authorization with the user's credentials on the first request.  As long as the credentials were correct, the device would not get challenged for credentials and it would not matter if the challenge was an HTTP 401 response (correct) or not (such as an HTTP 200  form login HTML response).  

But starting with Apple iOS 12, the device no longer sends the HTTP Authorization header on the initial request which means that it will always get a challenge response for the user's credentials; if this challenge is an HTTP 401 (basic authentication), the devices should continue to work, but if it is some other sort of challenge (such as an HTTP 200 with a form), the devices will be unable to connect to sync.

IBM Traveler has always documented that HTTP Basic Authentication is required (  
Prior to Apple iOS 12, even improperly configured servers would allow the devices to sync because of the credentials being supplied without requiring a challenge.  But with the change on Apple iOS 12, properly configured HTTP Basic Authentication truly is required or the Apple iOS 12 devices running the native applications will be unable to sync.

Related information: Configuring IBM Traveler server - HTTP authentication

via IBM Technote

Must read: HCL - Iris is back again

 14 September 2018 15:57:41
John Curtis of HCL has published a wonderful blog post, which answers some questions for me and confirms my opinion, what went wrong at IBM regarding Notes Domino and the ICS products in the last years.

The longer article should be read by everyone to understand how HCL ticks and which team got together again.

Image:Must read: HCL - Iris is back again

The post makes me optimistic for the future and my previous experiences with HCL are very positive. So much already as feedback from the participation in the Betas and the discussions around the HCL Factory Tour.

Iris is back and HCL brings new life, new ideas, regained freedoms and very important engagement into the products (Notes, Domino, Sametime, IBM Mobile Connect, On-Premises) which are neglected by IBM management during the last years.

I could already see and touch some upcoming things (unfortunately I'm not allowed to tell you more about this yet) and I only say one thing about it: Wonderful - A dream comes true

They're baaack!

Many thanks in any case to John Curtis for his view of things and the courage to post this.

Read John Curtis Blogpost here: The Iris Bloodline

New iOS 12 MDM feature to control access to contacts by third-party apps

 14 August 2018 14:53:29
Starting with iOS 11.3 in the spring of this year Apple already created the possibility to control which third party apps (keyword: WhatsApp) can access the managed company contacts of the ActiveSync account via MDM restrictions.
This was done via the Managed OpenIn restrictions. These can be used to control whether an unmanaged app can access the content of a managed app or account.

See also my blog post: ios-11.3-update-regarding-contact-containisation.htm

Apple released an updated Configuration Profiles documentation yesterday, which contains two new restrictions, among other iOS 12 extensions, that allows additional control to access contacts, when Managed OpenIn restrictions are being set to false.


Optional. If set to true, managed apps can write contacts to unmanaged contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
A payload that sets this to true must be installed via MDM
Availability: Available only in iOS 12.0 and later.



Optional. Supervised only. If set to true, unmanaged apps can read from managed contacts accounts.

Defaults to false.

If allowOpenFromManagedToUnmanaged is true, this restriction has no effect.
A payload that sets this to true must be installed via MDM.
Availability: Available only in iOS 12.0 and later.


16. OpenUserGroup-Westfalen Stammtisch am 29.08.18 in Bielefeld

 7 August 2018 15:41:41
Bitte schon einmal Vormerken:

Image:16. OpenUserGroup-Westfalen Stammtisch am 29.08.18 in Bielefeld

Der 16. OpenUserGroup | Westfalen Stammtisch findet am Mittwoch, den 29.08.18 in Bielefeld statt.

Neben dem "networken" und der Diskussion aktueller Themen in gemütlicher Runde bei einem guten Essen und Kaltengetränken wird ein kurzer Impulsvortrag rund um die IBM und HCL Collaboration & Social Produktfamilie gehalten.

Start ist um 18:00 Uhr:

Aktuelle News aus der IBM und HCL Welt:

- Notes Domino v10 – New Features
- Domino Apps on iPad – HCL Nomad
- HCL Factory Tour und DNUG Review
- Gemeinsame Diskussion  

Weiter Details zum Stammtisch, der Lokation und der Agenda findet ihr hier: OpenUserGroup | Westfalen

Neue Mitglieder sind gerne Willkommen. Bitte einfach bei mir melden oder kurz das Kontaktformular ausfüllen: OpenUserGroup | Westfalen - Kontakt

PS: Wie immer:  Die Veranstaltung selbst ist Kostenfrei - Die verzehrten Speisen und Getränke zahlt jeder Teilnehmer aber selbst.

midpoints LE4D 2.0 – some hints

 30 März 2018 12:31:29
On March, 28th, we released Let's Encrypt 4 Domino aka LE4D . If you are running LE4D v1.x, you must update to v2.0.

Certificate renewal will no longer work with v1.x because of some changes Let's Encrypt made on their Let’s Encrypt API endpoint.

If you are new to Let's Encrypt 4 Domino  you can get it here:

Here are some additional hints to get v2.0 working:

Settings documents are disabled after design update to v2.0

In v2.0, we added a new feature to toggle the status of setings documents.

Image:midpoints LE4D 2.0 – some hints

All new settings are disabled by default. You have to enable them prior to run the agent.

Error: No trusted certificates found

You might see the following error message on the Domino console:
29.03.2018 08:21:39   Agent Manager: Agent  error: Caused by:
29.03.2018 08:21:39   Agent Manager: Agent  error: No trusted certificate found

29.03.2018 08:21:39   Agent Manager: Agent  error:         at

This happens most likely after you have applied a Domino FP or HF. In all cases we have seen, the cacerts is replaced with the default cacerts during FP/ HF install.

To fix this problem, you have to import the needed certificates again.

The certificates can be found here

You should import the ISRG Root X1 CA and the two Intermediate certs:

ISRG Root X1 (self-signed)

    ◦        Let’s Encrypt Authority X3 (IdenTrust cross-signed)

    ◦        Let’s Encrypt Authority X3 (Signed by ISRG Root X1)

An “HowTo” about importing the certs can be found here:

Error: Order’s status (“invalid”) was not pending

You might see the following error message on the Domino console:
28/03/2018 22:51:58   Agent Manager: Agent  error:         at Source)
28/03/2018 22:51:58   Agent Manager: Agent printing: [ERROR] – Order’s status (“invalid”) was not pending

28/03/2018 22:51:58   Agent Manager: Agent printing: LE4D  – finished!

Due to the change in the underlying ACME protocol, Let’s Encrypt needs to re-validate the HTTP challenge on certificate renewal.
To do this, the challenge token must be accessible on the Domino server on port 80.

If you only have port 443 enabled or forward port 80 to 443, then the challenge will fail and you will see the error message.

Just for clarification. Port 80 is only needed for the first time challenge validation after the upgrade to LE4D v2.0. It is also needed, when you change the configuration and add a new host to the existing list of hostnames.

After the challenge has been validated, you can close port 80 again. It is not needed for certificate renewal.

Announcing - Lets Encrypt for Domino v2.0 - Just Do SSL

 28 März 2018 18:07:34
We are pleased to announce today the new version 2.0 of Let's Encrypt 4 Domino aka LE4D

Image:Announcing - Lets Encrypt for Domino v2.0 - Just Do SSL


If you are already using LE4D, be sure to update to the new version 2.0.  
Starting March, 16th, the renewal of certificates generated with version 1.0 is longer possible due to a changes Let's Encrypt made to their CA-API-infrastructure.

What is new in LE4D 2.0

LE4D 2.0 uses the ACME v2 protocol, based on Java 8, and is supported on Domino 9.0.1 FP8 + on Windows & Linux.
The complete code is now contained in a single Java agent.  
The internal communication between the agent and the XPage in LE4D 1.0, which controlled the certificate generation and renewal, is therefore eliminated.

The support for wildcard certificates is not included in this version, but will be available in the next few weeks.  

How to upgrade to LE4D 2.0

Already existing LE4D users should already received an email from me with the new version.

To upgrade an existing installation simply replace the design of your LE4D application with the new template.
You can delete the data in the LE4D workdir. The data does no longer work with the new ACME v2 protocol.

LE4D has been tested on Domino 9.0.1 FP8, FP9 and FP10 on both, Windows and Linux. There are no known issues.

For further information on how to do a first time setup refer to the documentation. The documentation is part of the zip package.

I made an additional blog post regarding possible issues and how to solve them: midpoints LE4D 2.0 Some Hints

If you have any feedback or suggestion, pls. let us know.

Let' Encrypt !

Saying Goodby to Facebook

 20 März 2018 14:27:27
Facebook is using us.
It is actively giving away our information. It is creating an echo chamber in the name of connection. It surfaces the divisive and destroys the real reason we began using social media in the first place – human connection.

It is a cancer.


I have had a Facebook account since 2009, but I never used it much. I never used WhatsApp.
I have always been sceptical about the company Facebook and did not want to let a company like Facebook participate in my business and especially my private life.
Facebook (Facebook, Messenger, Instagram and WhatsApp) lives off the data and sells the data that I and my "friends" feed it with.

Facebook probably knows more about each user than any other service, agency or organization. Probably more about the user himself than close real persons.  
Facebook knows your habits, where you live, your social environment, with whom you communicate how often, what you like, which websites you visit,...

If you still think after the current events, what is Facebook supposed to do with my last holiday selfie, is naive. Facebook actively uses the data and passes it on to third parties. What can be done with this data is being drastically demonstrated to us.

Today I made the long overdue decision for myself to delete the content as much as I can, clean up my profile and put the account into sleep mode.
You can still find me there, but I will no longer actively "play" there.

If you want to connect with me, you can find me here:

Twitter, Xing, LinkedIn and IBM Watson Workspace

Or just by phone or mail.

New IBM Notes Client Slipstream for macOS High Sierra

 15 März 2018 20:52:13
This week IBM released a new install package of the IBM Notes Client for macOS 10.10.13 aka High Sierra.

Notes 9.0.1 64-bit was released in 2015 and then revised on 9 March 2018 to address an OS X 10.13 install issue.

You can download the client via IBM Passport Advantage. Just search for the Part Number:
Passport Advantage 
Part Number
IBM NOTES 9.0.1 MAC 64 BIT English CNQY7EN  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Simplified Chinese and Traditional Chinese CNQY8ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Japanese and Korean  CNQY9ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT French, Brazilian Portuguese and Spanish CNQZ0ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Italian and German CNQZ1ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Danish and Dutch CNQZ2ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Finnish, Norwegian and Swedish CNQZ3ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Polish and Russian CNQZ4ML  Revised 3/9/2018
IBM Notes 9.0.1 Mac 64 BIT Portuguese and Turkish CNQZ5ML  Revised 3/9/2018

After installing the new client you should install the latest Interims Fix( IF14 or greater ) on top.

Let’s Encrypt now supports Wildcard Certificates and LE4D will support it too

 13 März 2018 18:32:57
 Today Let's Encrypt starts to issue official wildcard certificates for free.

Image:Let’s Encrypt now supports Wildcard Certificates and LE4D will support it too

We’re pleased to announce that ACMEv2 and wildcard certificate support is live!
With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.

Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.

Wildcard certificates are only available via ACMEv2. In order to use ACMEv2 for wildcard or non-wildcard certificates you’ll need a client that has been updated to support ACMEv2. It is our intent to transition all clients and subscribers to ACMEv2, though we have not set an end-of-life date for our ACMEv1 API yet.
Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

via Let's Encrypt Community announcement

We already extended our existing midpoints Let's Encrypt 4 Domino (LE4D) client to support the ACMEv2 API.

The plan is to release midpoints Let's Encrypt 4 Domino v2 in the next few weeks, after we will have finished some final tests.

So yes - LE4D v2 will support wildcard certificates!

But you should have one already in mind. To use wildcard certificates - ACMEv2 will do the validation using a DNS-01 challenge. That will require to add a DNS TXT record to your public DNS zone.
A fully automatic solution will not work with all used DNS servers.

But we will explain this in more detail, when we will release LE4D v2. Stay tuned

IBM Traveler available

 7 März 2018 22:53:07
Today IBM released a new Traveler version called (Build: 201803022309_20).

Image:IBM Traveler available

IBM Traveler is a maintenance release that provides APAR fixes for the IBM Traveler server.

IBM Traveler includes a database schema update for MS SQL Server deployments.
It is only necessary to run verifyIndexes.sql to update the schema to latest level. Otherwise no action is required unless upgrading from a version prior to If you use auto schema updates (default behavior) there is no action required.

APAR # Abstract
LO93281 Modify an encrypted event from mobile device may corrupt event body.
LO93380 Support 32 bit Domino 9.0.1 Server.
LO93412 One index may cause performance problems on MS SQL Server.
LO93440 Incorrect default ACL for R6MemoMap.nsf
LO93455 Incorrect error code used for network error.
LO93466 Set $RFSaveInfo field on Reply/Forward from mobile device.
LO93491 Name used for time zone on mobile device does not match value used by Notes Client.
LO93522 Improve handling of very small in-line mime images.
LO93529 Web Administrator interface may show Verse for iOS device as not supporting data wipe.
LO93547 Not authorized message logged during network outage.
LO93596 Device may be missing e-mail if user has another device with a smaller filter window.
LO93599 Handle unexpected list format in notes.ini file.
LO93645 Event may not show on user's device when user was removed then re-invited to the event.
LO93660 Yellow status message displayed for Replicas table missing a Primary Key.
LO93663 Mail in sent folder may be missing content when configured to save with no attachments.
LO93706 Add NTS_JAVA_PARMS_EXT notes.ini parameter to allow for values larger than 256 characters.
LO93709 Attachment with DBCS characters in the file name may not display on mobile device.
LO93720 Update APNS Certificates, new expiration data March 30,2019.

You can download the update as usual on IBM FixCentral.

An IBM Traveler full installation package will be available by March 16, 2018 on Passport Advantage.