HCL Traveler 10.0.1.2 available with important content – especially for iOS

The most important “feature” is that new APNS p12 certificates – which will expire in Juni 2020 – are included in 10.0.1.2. There are also updates in the database structure so if you are using an Enterprise Database you have to go through some configuration steps listed here: http://help.hcltechsw.com/traveler/10.0.1/UpdatingTheEnterpriseDatabase.html

The version 10.0.1.2 does not require HCL Domino 10.0.1 but at least Domino 9.0.1 FP8.

A complete listing about the fixes can be found here.

Especially for iOS users the administrators must be aware of the following issues

( https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0069584 ):

Starting with HCL Verse 10.0.7 for iOS (when it is available), the application is now transferred to an HCL Technologies Apple account and is signed by an HCL-owned certificate.

Expect the following changes:

  • The Verse application is being rebranded to HCL Verse. Not all references to IBM have been removed in this release.
  • The Verse application will no longer be able to access any data that the previous IBM signed versions had stored on the keychain. Therefore, you will be prompted for your password after you upgrade to 10.0.7 and launch the application for the first time. If you choose to remove an existing version and then install 10.0.7, then the user will be required to reconfigure the client. This is not a change in behavior. However, for reasons stated below, we recommend you upgrade over your previous version of the Verse application. Note that the same applies when upgrading from the IBM ToDos application to the HCL ToDos application (when available).
  • The device ID generated by iOS will change (clients managed by IBM Maas360 and MobileIron are not affected). Moving to the HCL account caused a change in the development team ID for the IBM Verse application. This team ID is input to the Apple API that the application uses to generate a unique device ID. The result is a different device ID which will be used when communicating with the Traveler server (in the form HCL_IOS_xxxxxxxxxx). After installing 10.0.7, the client application will look like a new device to the Traveler server. You can see your new device ID on the About screen under Verse settings, the user’s Traveler home screen or in the Traveler Administration view. A new device ID will have the following effects:
  • After you install 10.0.7 (either new or as an upgrade), the device will re-sync because Traveler treats the device as a new device because of the device ID change. You will see all mail in the all folders disappear and then start to re-populate. There is no way to avoid this re-sync, so plan accordingly.
  • A new profile document will be created for the new device ID (HCL_IOS_xxxxxxxxxx) by the Traveler server. This means all your preferences (things like days to sync, signature, etc) will be set to the defaults. However, if you take the recommended approach of upgrading (installing 10.0.7 over the top of a previous version), the Verse application will recognize the previous install and push all of your local preferences up to the server so that the new profile document is populated with your device preferences rather than the defaults.
  • If device approval is enabled on the Traveler server, the IBM Verse client may need to be re-approved depending upon the automatic approval settings.
  • The old device id (IBM_IOS_xxxxxxxxxx) will appear in the user’s device list until it is either reaped by the Traveler Server due to inactivity or deleted by the Administrator
  • The user may see duplicate notifications on the device for a period of time, typically 24 hours from the upgrade, because both the old and new device IDs are active on the server. There is no way for the new application to tell the server to stop sending notifications for the old device ID. After that period, the Traveler server will mark the old device as offline and stop sending notifications to the old device ID.

IBM Verse for Android is not affected by this change.

IBM Notes Traveler 9.0.1.21 available

Yesterday IBM release the new release of IBM Notes Traveler including the following fixes:

Traveler-Fixes_90121

IBM Traveler 9.0.1.21 includes a database schema update for MS SQL Server deployments.  It is only necessary to run verifyIndexes.sql to update the schema to latest level. Otherwise no action is required unless upgrading from a version prior to 9.0.1.16. If you use auto schema updates (default behavior) there is no action required.

The upgrade is available on IBM Fix Central.

Performance problems on Apache Reverse Proxy

Yesterday I had massive performance troubles after going online with an Apache Reverse Proxy running on CentOS 6.9 for IBM Notes Traveler.

The customer has about 1.250 users and approx. 1.650 devices.

After some investigation and a great site, where the performance parameters are described very good:

( https://www.linode.com/docs/web-servers/apache-tips-and-tricks/tuning-your-apache-server )

I figured out, that the default configuration of the HTTP server was causing this issues, because the settings are much too low/high for this amount of devices. I did some modifications in the httpd.conf and now it´s working fine – feel free to use them:

#
# Timeout: The number of seconds before receives and sends time out.
#

# Default Value: Timeout 60
New Value: Timeout 10


#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to “Off” to deactivate.
#
# Default Value: KeepAlive Off
New Value: KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
# Default Value: MaxKeepAliveRequests 100
New Value: MaxKeepAliveRequests 50

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
# Default Value: KeepAliveTimeout 15
New Value: KeepAliveTimeout 5


# prefork MPM

# Default Value: StartServers 8
New Value: StartServers    1000
# Default Value: MinSpareServers 5
New Value: MinSpareServers 1000
# Default Value: MaxSpareServers   20
New Value: MaxSpareServers 1000
# Default Value: ServerLimit 500
New Value: ServerLimit      1000
New Value: MaxClients       1000
# Default Value: MaxRequestsPerChild  400
New Value: MaxRequestsPerChild 4000

# worker MPM

# Default Value: StartServers 4
New Value: StartServers         8
# Default Value: MaxClients 500
New Value: MaxClients         1000
# Default Value: MinSpareThreads 25
New Value: MinSpareThreads    100
# Default Value: MaxSpareThreads 75
New Value: MaxSpareThreads    750
New Value: ThreadsPerChild     25
# Default Value: MaxRequestsPerChild 0
New Value: MaxRequestsPerChild 0


# Enabled HTTP Compression
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript



If you also need the configuration flie for the Traveler site with the load balancing configuration, feel free to contact me…

Resolve synchronisation issues after upgrade to IBM Notes Traveler 9.0.1.18

IBM Notes Traveler 9.0.1.18 has the new feature to access the users mail server with the same rights as the user. But if you forget to add the IBM Notes Traveler server to the field “Trusted Servers” in the server document of the Mail Server, you receive the following errors:

An exception occurred when opening database /user.nsf using user shortname CN=John Doe /O=IBM in order to retrieve changed documents. Exception information: Throw: TASK_PROFILE_OPEN_DB

*** Content Adapter Exception *** ERROR 23 (ERR_DATABASE_ERROR) — Debug Info ————: Database cannot be opened with status of 0x17eb. Server=database=mail/user.nsf
INFO Mntr-0a78[Master]John Doe dna.cpp.jniDoesDatabaseExist#8427 Internal Error: Debug Data: Could not open Database=’mail/jdoe.nsf’ on server=’ PathName=” for user ‘CN=John Doe /O=IBM’. Error(17eb)=You are not listed as a trusted server 

You can easily get rid of those errors either by:

  • disable the new feature by setting the following NOTES.INI entry on the IBM Notes Traveler Server
    • NTS_USER_SESSION=false
  •  Add the IBM Notes Traveler Server to the “Trusted Servers” field of the Mail Server in the second tab “Security”

 

Moving Android devices from unsecure to secure communication with IBM Notes Traveler

IBM released a very smart way to switch Android devices to HTTPS communication with IBM Notes Traveler servers:

http://www-01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E

Problem

Your IBM Verse for Android applications connect to your on-premises IBM Traveler server using an unencrypted HTTP connection instead of an encrypted HTTPS connection. Since the IBM Traveler server can use unencrypted HTTP connections immediately without any additional setup, some installations may have skipped the HTTPS setup procedures prior to deploying Verse for Android to users. To ensure that all your communications are encrypted, first enable HTTPS either on your IBM Traveler server or on an edge proxy. Then ensure the IBM Verse for Android app begins using the encrypted connection without requiring any manual intervention from your users.

Resolving the problem
This feature requires the following components at the specified minimum version levels:
· IBM Traveler server, version 9.0.1.15 (or later)
· IBM Verse for Android app, version 9.5.0.0 (or later)

If all the IBM Verse for Android apps have not yet upgraded to the required minimum level prior to the completion of these steps, then it is recommended you keep HTTP port 80 enabled until you can ensure all apps have been upgraded. It is not required that all users upgrade at the same time.

1. Enable your IBM Traveler server to use HTTPS. Typically, this will be the Domino server that hosts your Traveler server, but it could also be an edge proxy. If this is a Domino server, Domino 9.0.1 fp5 or later is recommended. See the following for more information on this task:

http://www.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_settingupsslonadominoserver_t.html

Also reference the article Securing connections for IBM Traveler mobile applications for the latest updates on security requirements for IBM Traveler servers and mobile apps.

2. Update the “External Server URL” field on the Traveler server to change the current server URL to start with “https://” instead of “http://”. This can be done either through the current configuration document, by updating notes.ini, or by using the domino console. For more information, see:

http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/settingtheexternalserverurlforappledevices.htm

3. Before forcing all IBM Verse for Android apps to use the new URL, test the HTTPS connection to ensure that it works properly. The first test is to ensure that the HTTPS port is working properly and routing to the IBM Traveler server. You can use a web browser to easily validate this. Open a browser page, connect to your Traveler Server External URL, and login using an ID. For example, if your Traveler server External URL is https://traveler.example.com/traveler, use a web browser to connect to that page and validate that you do not see any errors.

4. Test the setup with a few devices that are connected to your IBM Traveler server using the HTTP connection. To do this, issue these commands at the domino console:

tell traveler policy setdevice tsExternalURLEnforced=1
tell traveler push flagsadd serviceability configGet

Where and are the device ID and user you are testing.You can obtain the of a user that has previously connected to the Traveler server using the command:

tell traveler show

5. Sync the test devices to ensure that the sync is working properly. From within the Verse for Android app, open Settings > Server and validate that the field called Use Secure Protocol is checked.

NOTE: Ensure that everything syncs normally and shows as secure. If you push an incorrect server URL to the mobile app, the only way to recover is to remove and reinstall the Verse app on the device.

6. After you have verified that the External Server URL is correct and your migrated device can sync, set the IBM Traveler server to enforce this property for all devices by entering the following command into the Domino server console:

set config NTS_EXTERNAL_URL_ENFORCED=true

This command migrates the rest of your IBM Verse for Android apps (that meet the minimum level) to use your secure server URL.

7. Restart the IBM Traveler server to have the settings take effect.

8. Once all your IBM Verse for Android apps have been updated, you can disable the HTTP port on your Domino server, assuming it is not required for other applications that are using the same server.