From IBM Lotus Support: Security Certificate expiration in Lotus Domino on May 18th 2009

This note contains links (URLs) to technical support documents (technotes) related to an issue affecting IBM Lotus Domino customers. You are receiving this notification because you are a customer who has called us for technical support in the past. If you do not wish to receive notifications like this one on other topics in the future, please reply to this email and change the Subject field to: unsubscribe , e.g. unsubscribe user@company.domain. This is a special mailing separate from regular Frequently Asked Questions (FAQ) mailings to urgently provide information about this expiration situation.

What is happening

The certificate for some Java applets in Lotus Domino 6.5.x, Domino 7.0.x, Domino 8.0.x, and Domino 8.5 have an expiration date of May 18, 2009. Starting May 19th, Web users will see a dialog with a message similar to one of the following when loading a Web page that contains a Java applet from the Domino server:

“The digital signature was generated with a trusted certificate but has expired or is not yet valid.”

“The security certificate has expired or is not yet valid.”

This issue can occur even if IBM is set up as a trusted publisher in the browser.

What does this mean

Please be assured that this message does not mean security has been compromised. It simply reflects the expiration of the signature originally provided in the security certificate used with certain Domino applets. You can find an explanation in the following technote:

Title: “Security certificate expiration messages generated from Domino applets (May 18, 2009)”

URL: http://www.ibm.com/support/docview.wss?rs=899&uid=swg21381298

Action needed to resolve

To resolve the situation, you have three options: (1) Instruct users to “Always Trust” content from IBM, (2) if using Domino 7.x, upgrade to Domino 7.0.4, or (3) download and apply fixes. IBM recommends that you replace the affected Jar files (option 3) as described in the following download document for any supported release of Domino:

Title: “Download re-signed Java applets for Lotus Domino (May 18, 2009)”

URL: http://www.ibm.com/support/docview.wss?rs=899&uid=swg24022981

Alternatively, an interim fix will be posted to Fix Central for the latest Modification and Fix Pack levels by May 8th. These include Domino 6.5.6 FP3, 7.0.3 FP1, 7.0.4, 8.0.2 FP1, and 8.5.0. If you’re not running one of these releases, access the download document above, which provides fixes for all supported release levels.

General Self-Help Resources

Here are links to other ways that you can access IBM Lotus Notes & Domino self-help support information on the Web:

  1. My Support (http://www.ibm.com/software/support/einfo.html)
  2. Lotus Support is just a click away (http://www.ibm.com/software/lotus/support/clickaway/); learn more about Lotus Software Self-Assist Options.
  3. IBM Software Support Site design update (http://www.ibm.com/software/support/gcnews.html)
  4. New Lotus Notes Domino Wiki (http://www.lotus.com/ldd/dominowiki.nsf)
  5. Fix Central (http://www.ibm.com/support/fixcentral/)

Sincerely,

The IBM Lotus Notes & Domino Team

IBM software available in the Amazon Cloud

Today I received an e-mail from Amazon Web Services (AWS) stating that IBM and Amazon has partnered up to provide IBM (and Lotus) software in the Amazon EC2 (Elastic Compute Cloud). How cool is that!?

We are excited to announce that IBM and Amazon Web Services have teamed up to provide you with the ability to build and run a range of IBM applications using the Amazon Elastic Compute Cloud (Amazon EC2) service. This relationship will enable you to bring your own IBM licenses to Amazon EC2, utilize IBM’s “Development” AMIs, or leverage the “Production” Amazon EC2 running IBM service. The initial list of IBM environments that will be available includes: IBM DB2, IBM Informix, WebSphere sMash, IBM Lotus Web Content Management, and IBM WebSphere Portal Server.

More info on the AWS partner page.

Why patching the org.apache.commons.lang plugin is necessary

As part of the core Lotus Expeditor framework a number of Apache Jakarta Commons libraries are supplied as plugins. Unfortunately the org.apache.commons.lang plugin is incorrectly packaged which means that developers cannot reuse code from this library. This goes for all Notes 8 releases so far (Notes 8.0, 8.0.1, 8.0.2 beta 1, 8.0.2 beta 2, 8.5 beta 1).

The problem is that the plugin manifest file (MANIFEST.MF) doesn’t export all the packages of the library but only the root package. The *right* thing would be to export all the packages (e.g. org.apache.commons.lang.exception, org.apache.commons.lang.math etc.)

Luckily the problem is quite easy to fix and it will be in upcoming releases. For now, as a developer, the easy way to solve the problem is to simply modify the manifest by unzipping the plugin, changing the MANIFEST.MF file and rezipping the plugin back up. I have done this on all my machines and will be supplying a patched version of the plugins so you can run TwitNotes 1.0.5 on these releases.

Patching this plug-in wont affect other code in my eyes.

Article: Designing composite applications: Writing an Eclipse component for IBM Lotus Notes

“This article introduces some helper classes so you can quickly build and deploy feature-rich, reusable, Eclipse-based components for IBM Lotus Notes. You also learn how to create a foundation upon which other components can be created quickly and easily.”

Designing composite applications: Writing an Eclipse component for IBM Lotus Notes by Craig Wolpert and Jo Grant from IBM @ IBM developerWorks.

What’s the future of Java in Notes/Domino?

At Lotusphere 2007 there was a session on the future directions of Java in Lotus Notes and Domino called AD508 (AD508: Java 5 Upgrade for IBM Lotus Notes and Domino). Basically the session discussed the future of Java in Notes/Domino and how IBM is planning to ship Java 5 as part of Notes 8/Domino 8. Unfortunately I haven’t had the time I wanted yet to play around with version 8 yet so I cannot comment on whether Notes/Domino 8 already has Java 5 – the Reviewers Guide says that it has though.

For those not in the know Java 5 introduced a number of new core language features which are definitely worth the upgrade but the most beneficial for me is the enhanced for-loop and generics. There are a number of additional API changes that makes life much nicer from the programmers point of view. This is all well and good but Sun Java is currently in version 6 and have been for a while now and Java 7 is currently being planned and scoped out. Java 6 has a number of additional features that would be nice for Notes/Domino programmers such as JDBC 4, new APIs for web-services and improvements to the Java Platform Debug Architecture (JPDA). Only going to Java 5 in Notes/Domino 8 seems like a bad choice.

Why would IBM not want to go directly to Java 6? It could be that, as of today, IBM hasn’t shipped a Java 6 development kit yet and since IBM probably wants to include their own JDK it might be why. Another reason could be that IBM Lotus Expeditor doesn’t run on a standard JDK but on the IBM J9 VM which is a scaled down version of the JVM with a limited set of API classes. With not even a Java 6 JDK ready I would guess that a Java 6 version of J9 is a long way off. The fact that Lotus Expeditor is based on J9 causes its own set of problems for plug-ins in Sametime 7.5 (as previously mentioned) but that’s another story.

I fear that since Lotus Expeditor now is the base platform for IBM client products and since IBM probably wants to avoid shipping two JVMs with the product they will stick with J9 for some time. Given I don’t know the exact technical reasons for J9 and there are performance to think of as well (JVM reuse for client platform code and client side Java) I find that a real shame. It would be a really big loss.

Suddenly the supported Java version will be tied to the JVM running the client and we as developers and customers will be tied to using back-level APIs. For trivial agents etc. this is probably not going to matter anyway since the Java API hasn’t been updated since its inception. For new code it is going to be a real show-stopper. Most new code and components are created by combining existing (open-source) modules into new code and modules and with most open-source projects being at at least Java 5 by now it is going to cause problems. I know Java 5 and Java 6 are bytecode compatible but requiring additional compatibility libraries are going to be a problem in the long run. Combining this with the Java security restrictions put in place we can find our self running on a monolithic IBM Java platform which hardly was the idea.

So what’s the answer?

It seems more and more like IBM should support custom JVM for at least the server. It would be nice for the client as well but lets be reasonable. It could a solution where there are a number of choices – some choices could be proven and (absurdly) battle-tested (Java 1.3, Java 1.4.2) and some simply following the industry (Java 5, Java 6). I know it probably never will be possible to simply drop a new run-of-the-mill Sun JVM into Domino but this isn’t necessarily the goal. I simply want a JVM that follows along. It might be that it required an additional download and install but at least give me the choice.

As for the Notes 8 client it might be even easier than for the server since the Eclipse foundation already allows for a custom JVM. Why not support running Notes 8 on an already installed JVM? One could even argue that the client would benefit just as much from a JVM upgrade than the server since the Notes 8 client will be a universal client and hence not simply access Notes data. If IBM expects ISV’s to develop Java solutions for Notes 8 they will expect a common programming model for Eclipse/Notes 8 based solutions which comes down to the JVM.

So IBM – please upgrade the JVM or allow for “custom” JVM’s – soon… Oh – and please upgrade the Notes/Domino Java API – who still uses java.util.Vector? Thank you! 🙂

IBM Workplace Designer mentioned in Eclipse Magazine


IBM Workplace Designer is mentioned and used as an example on how to leverage Eclipse as a foundation for rich-client applications. Too bad Expeditor, Sametime or Notes 8 isn’t mentioned…

Eclipse Power in IBM Workplace/Domino
“Eclipse is a robust functional platform that IBM Workplace/Domino developers can put to full use in their current and future projects. In this article, we focus on the benefits of Eclipse as a client foundation that has a cross platform, rich UI widget set that is based on native widgets, a rich UI framework, pre-defined dialog basis: Wizards, Preferences, Properties, and other UI: Perspectives, Views, Editors, Workbench (as a base), ActiveX support in SWT on Win32 (platform integration), and a good Help system. Eclipse as a client foundation is an extensible platform that features a plug-in extensibility model, shared programming model with tools development, education that is already developed for tools offerings, core services, extension points, core frameworks, production quality platform with two major releases in the market, and an Open Source code base. “

Eclipse Magazine, Issue 5, December 2006.