best practices of notes traveler deployment

Best Practices of IBM Notes Traveler Deployment

Date: 27 Aug 2015

2 | © 2015 IBM Corporation

Open Mic Team

• Sandip Singh - IBM ICS Support engineer• Presenter

• Sukanya Yenneti - IBM ICS Support engineer• Presenter

• Ranjit Rai - IBM ICS SWAT• Focussing on entire Notes/Domino

• Jayavel Rajendran - IBM ICS SWAT• Focussing on entire Notes/Domino

• Hansraj Mali - IBM ICS SWAT• Focussing on Notes/Domino

• Narendra Nesarikar – IBM ICS Support• Facilitator for Open Mics


Agenda

● Choosing the deployment

● Reasons for migrations to new Hardware

● Migrating Traveler Server to new Hardware

● Best practices to upgrade Traveler Server

● Common problems observed at time of Traveler upgrade

● Moving a stand alone system to HA

● Best practices to enable https on Traveler Server

● What's new in Notes Traveler 9.0.1.3 and later releases

● IBM Verse on Apple device


Choosing the deployment:

Basic Stand-alone Traveler Architecture


Choosing the deployment:

Basic Traveler HA Architecture


Choosing the deployment (continued..)

Traveler and Mail servers in different Domino Domain

● Keep the IBM Traveler server's directory separate from Mail server to prevent design changes.

● Minimize the amount of data from the mail servers that is accessible from the Notes Traveler server.

● Name look-up can still be done from Traveler server using the below notes.ini along with DA.

NTS_TRAVELER_AS_LOOKUP_SERVER=true. Note: With this deployment if you want to move to HA then all Traveler server in HA pool should be from same DOMAIN.


Choosing the deployment (continued..)

Network consideration● Mail server, IBM Traveler server and Enterprise database server should be located in the same LAN.

● Ping response not more than 50 m/s from Traveler server to mail servers.

● Use HTTP or HTTPS to communicate with the Traveler server from the device.

● Do not use form base authentication, use basic authentication (401).

● Use basic Round Robin without session affinity for load balancers in HA setup.

● Network equipment must not block or alter traffic between mobile device and server.

Disk Considerations

● Windows 64/Domino 64 - 425 IOPs (I/O operations per second).

● The disk I/O requirements for the enterprise database server are higher in order to support multiple IBM Notes Traveler servers in HA.


Choosing the deployment (Continued..)

Capacity Guidelines:

Note: While you are in HA maximum devices per server scale up to 2500.

Reference:http://www-10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp?lookupName=Administering+Lotus+Notes+Traveler+8.5.3#action=openDocument&res_title=Capacity_planning_guidelines_for_Lotus_Notes_Traveler_LNT853&content=pdcontent

Maximum Devices Minimum OS Minimum Physical Memory

Minimum CPU Cores

100 Win32 4GB 2

300 Win32/Linux32 4GB 4

1000 Win64/Linux64 8GB 4

2000 Linux 64-bit 16GB 8

2000 Windows 64-bit 16GB 8


● New hardware for improved performance.

● 32-bit operating system to 64-bit operating system to host more users.

● Unsupported operating system to a supported operating system.

● Standalone IBM Notes Traveler to HA for fault tolerance.

Reasons for migration to new Hardware:


Migrating Traveler Server to new hardware:

Method 1 - Full data copy:

● Copy the contents of the Domino data directory from Traveler old to Traveler new.

● Change the hostname and IP address of the Traveler new server to match the hostname and IP address of the Traveler old server.

Method 2 - Minimal data copy:

● The Domino Server Name can be different.

● Copy these files/directories from Traveler old to Traveler new:

data/traveler/ntsdbdata/LotusTraveler.nsfdata/ntsclcache.nsf


Migrating Traveler Server to new hardware: (Continued..)

Method 2 - Minimal data copy: (Continued..)

● Change the hostname and IP address of the Traveler new server to match the hostname and IP address of the Traveler old server.

● Take TRAVELER and HTTP out of the ServerTasks list in the notes.ini file and then start the Domino server.

● Change host name used in the Domino server document.


Method 2 - Minimal data copy (Continued..)

● Change host name in any Internet Site Documents, if specified.

● Add TRAVELER and HTTP back to the ServerTasks list of notes.ini file.

References:http://www-10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp?lookupName=Administering+Lotus+Notes+Traveler+8.5.2#action=openDocument&res_title=Moving_Lotus_Notes_Traveler_to_a_new_server_LNT8521&content=pdcontent

Migrating Traveler Server to new hardware: (Continued..)

http://www-10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp?lookupName=Administering+Lotus+Notes+Traveler+8.5.2#action=openDocument&res_title=Moving_Lotus_Notes_Traveler_to_a_new_server_LNT8521&content=pdcontent




Best practices to upgrade Traveler server:

● Announcing the upgrade schedule.

● Backing up files.

● Updating Lotus Domino, then upgrade Traveler server.

● Upgrade the design of Domino directory.

● All devices, except the iOS devices are required to upgrade the IBM Notes Traveler application after the server is updated, to have the new features.


Best practices to upgrade Traveler server: (Continued..)

● After upgrading the server, you can use IBM Notes Traveler immediately. Resynchronization between the server and devices does not occur.

● Maximum cached users:



● Maximum memory size:

● By default, the value of the maximum memory size is 1024 MB for 64-bit. Evaluate the system load and adjust the memory size as necessary.

● Use the tell traveler mem or tell traveler status command to determine if Java heap is sufficient on your system.



● Ensure that number of devices that are accessing the traveler should have the proper number of HTTP threads are allocated to the server.

● Number of threads that are needed is 1.2 times of the number of devices.


Common problem observed at time of Traveler upgrade

● Upgrade traveler domino server to latest version before traveler upgrade.�

● Immediate backup of ntsdb is recommended.

● Remove traveler task from traveler server notes.ini, while domino server upgrade.

● Verify no notes/domino and java task is running while upgrade.


Moving a stand alone system to HA:

● Moving stand alone IBM Notes Traveler servers into a high availability pool.

● IBM Notes Traveler High Availability configuration provides for improved fault tolerance.

● HA configuration enables additional capacity to be added as needed for future growth.

● IBM Notes traveler server in a HA pool:

Maximum Devices per Server Minimum Operating System Minimum Physical Memory Minimum CPU Cores

2,500 Linux 64-bit 16GB 4

2,500 Windows 64-bit server 16GB 4


Moving a stand alone system to HA: (Continued..)

• Deploys multiple IBM Notes Traveler servers in a service pool.

• The pool of IBM Notes Traveler servers is accessed through a single URL.

● The internal database on each individual IBM Notes Traveler server is no longer used.

● This enables any server in the HA pool to service requests from any user/device.



Requirements specific to running an HA Pool:

- Must run on 64 bit Windows or Linux OS.

- DB2 Enterprise server 9.7 FP5 or later.

- MS SQL Enterprise Server 2008 or later.

- Enterprise Database Server for the HA Pool:

Maximum Devices in Service pool

Minimum Physical Memory Minimum CPU Cores

4,000 16GB 4

6,000 16GB 4

8,000 16GB 4

10,000 32GB 8

12,000 32GB 8



The minimum configuration for IBM Notes Traveler HA Pool is as follows:

- Two Domino servers running IBM Notes Traveler.

- One DB2 server or Microsoft SQL server.

- One server running the IP sprayer/load balancer.



Process for Derby to Enterprise DB Migration is as follows:

- Only add one server to the pool at a time. First server creates the service pool.

- On startup will migrate user data to enterprise db.

- Allow data migration to complete before adding another server.

- Use DNS or Proxy for single access URL.


Best practices to enable https on Traveler server:

● Change the External Server URL of Traveler on the Server Document from

“http://<servername>/traveler” To “https://<servername>/traveler”

● After updating the External Server URL from http to https, all users must reconfigure their devices to the new server URL which is using https.

● There are currently no solutions available that will automatically update or reconfigure the devices. Enhancement Request JEDP-9V5QEG has been created.


Best practices to enable https on Traveler server: (Continued..)

● If can't reconfigure all devices at that time then you should keep TCP/IP port status to "Enabled" under TCP section in server document.



What is Poodle?

● POODLE - Padding Oracle On Downgraded Legacy Encryption.

● This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

● POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.

● It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

● DISABLE_SSLV3=1 allows Domino server to disable SSLv3.



Points to remember to avoid Poodle on Traveler server:

● A Notes Traveler solution may or may not be impacted by the POODLE attack depending upon the deployment configuration together with the technical responses or updates offered by the various platform vendors.

1. Consult the mobile device vendors for details on their product responses to this attack.

2. Mobile devices connecting via SSLv3 directly to a Notes Traveler (Domino) server.

3. Mobile devices connecting via Mobile Device Management (MDM) servers.

● NTS_SSL=true to encrypt the server to server communications.

● The Notes Traveler server has been updated to use TLS as default encryption protocol for server to server communication.



● IBM has released APAR patch LO82423 to prevent the use of SSLv3 in Notes Traveler secure server-to-server communication. This patch has been included in Interim Fix updates for the following Notes Traveler server releases and in all future releases:

9.0.1 IF7 9.0.0.1 IF8 8.5.3 Upgrade Pack 2 IF8

References:https://www-304.ibm.com/support/docview.wss?uid=swg1LO82423http://www.ibm.com/support/docview.wss?uid=swg21688179

● IBM has released Domino server Interim Fixes that implement TLS 1.0 to protect against the POODLE attack.

References:http://www.ibm.com/support/docview.wss?uid=swg21687167

http://www-01.ibm.com/support/docview.wss?uid=swg1LO82423

http://www-01.ibm.com/support/docview.wss?uid=swg1LO82423

https://www-304.ibm.com/support/docview.wss?uid=swg1LO82423

http://www.ibm.com/support/docview.wss?uid=swg21688179


Whats new in Notes Traveler 9.0.1.3:

● IBM Traveler 9.0.1.3 requires Domino 8.5.3.x, 9.0.0.x, or 9.0.1.0.x (or later).

● We recommend running Domino 9.0.1 to take advantage of all latest fixes and features.

● If installing on a Domino 8.5.3 server it is required to also install Domino 8.5.3 Upgrade Pack 1 if not already installed.

● Can be installed on any previous release of Traveler, stand alone or HA.

● Same Enterprise DB support as 8.5.3 UP2.

● BlackBerry devices latest firmware 10.3.1 support syncing the Trash Folder.

● IBM Verse for iOS devices is supported but it is not supported if running on a Domino 8.5.3 server. Upgrade Domino to a 9.0.x or later version for support.


What is IBM Verse?

● It is a powerful email hosting solution that enables users to access their business communications from a laptop or desktop browser or from a mobile device.

● This email and business messaging experience is based on an innovative user-centric design, including social analytics and advanced search capabilities.

● IBM Verse helps users quickly find and focus on what content is most important, empowering them to build stronger working relationships while optimizing business results.


IBM Verse for Apple devices

Requirements for Apple:

● iOS 8.1 or later.

■ The app can only be used by Verse-licensed users in Connections Cloud or against on-premise IBM Traveler servers at 9.0.1.4 or higher.

■ Domino must be 9.0 or later version.

■ IBM Traveler servers must support SSL/TLS and have a valid certificate (Not self-signed one).

■ The same IBM Verse for Apple devices client is used in either the cloud or on premise versions, however some Verse capabilities are only available in the cloud. Those are:-

● 'Important People' features

● People photos obtained from Connections Profiles


IBM Verse for Apple devices On-Prem

■ IBM Verse can be installed from the Apple iOS App Store.

■ To configure IBM Verse for the first time, you'll need to know the address of your IBM Traveler server.


IBM Verse for Apple devices On-Prem (Continued..)

■ You may be required to set an application passcode for whenever you use IBM Verse.



■ If the configuration is successful and pascode setting is done then IBM Verse will open the mail Inbox and start syncing with the server.

■ From the Settings page, you can also choose whether to sync new data to your device automatically (if your server supports it) or manually.


IBM Verse for Apple devices On-Prem (Continued..)Need Action: ● When you receive a mail message that contains an action item, you can add it to a list of things that

need to be completed.

● From the inbox, left swipe the message to display the option menu, then press the “Needs Action” icon (Or ) From the message itself, press the same icon to open the options menu, then choose “Mark Needs Action”.



Need Action (Continued..) : ■ You can add notes to the message by tapping the Capture you notes here...



Waiting for a response: ■ IBM Verse lets you track responses from mail messages you've sent. You do this by marking the

message as “Waiting For”.

■ Tap “Waiting For” icon from swipe menu from in Sent or Draft folder mails.

■ Tap Mark as “Needs action” button from compose view.


IBM Verse for Apple devices On-Prem (Continued..)Calendar entries:● IBM Verse for Apple devices lets you see and access all your upcoming calendar entries in a quick

and visual way.


IBM Verse for Apple devices On-Prem (Continued..)Mail View:

Inline Images, Attachments And Domino Encrypted.

Mail Actions:

Trash, Move to Folder, Reply, Reply All, Forward and Quick Reply.

Mail Settings:



Mail Thread:● IBM Verse adds a graphical conversation style to mail messages that lets you keep all your mail

threads organized and easily viewable within your inbox.



Draft, sent and folders:● Form your Inbox, just select the Mailbox button to display your folders. From there, choose either the

Drafts or Sent folder to show the contents.

■ You'll see all your preexisting IBM Notes and SmartCloud Notes folders, and you can interact with them just as you would in those environments.



Important to Me feature and Search Messages in contacts:■ The “Important to Me” feature is only available for Connections Cloud users.

■ Message can be searched from specific contacts:-

1. Contact's business card.

2. Can see all the messages from

your Important people contacts


IBM Verse for Apple devices On-Prem (Continued..)Today widget:● The Today widget for IBM Verse provides a whole range of information about your day in the iOS

Today view.


How to stay informed of available maintenance● Recommended Maintenance Technote:


● Notes Traveler APAR Listing by release:

http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing

● Registering for Notes Traveler notifications:

http://www.lotus.com/ldd/dominowiki.nsf/dx/How_to_subscribe_to_Notes_Traveler_product_notifications

● Notes Traveler Part Number Index:

http://www.lotus.com/ldd/dominowiki.nsf/dx/Notes_Traveler_Part_Number_List_for_Fast_Search_on_Passport_Advantage


http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing


Questions

Q & A

best practices of notes traveler deployment

Education