deploying daos and id vault
DESCRIPTION
TRANSCRIPT
MWLUG Conference 2009
IBM CenterChicago, IL August 27-28, 2009
Empowering the Lotus Community
Deploying DAOS and ID Vault
Luis Guirigay
http://lguiriga.blogspot.com
Twitter: lguiriga
Session: IN107
Agenda
• Who am I ?
• Introduction to DAOS
• DAOS Estimator Tool
• Configuring DAOS
• Best Practices
•Introduction to ID Vault
• Configuring ID Vault
Who am I
• Senior IT Specialist at PSC Group, LLC
• Involved in Lotus Technologies since 1998
• Co-Author of multiple IBM Redbooks (Domino 7 for i5/OS, Workplace
Collaboration Services, DB2 for i5/OS and Lotus Workflow)
• IBM Certified Administrator and Developer in 5, 6, 7, 8 and 8.5
• IBM Certified Administrator in Sametime 7.5 and 8
• IBM Certified Administrator in WebSphere Portal 6.0 and 6.1
• IBM Certified Administrator in Lotus Connections 2.0.x
• IBM Certified Developer in Lotus Workflow
• Find me at:
• http://lguiriga.blogspot.com
• Twitter = lguiriga
DAOS
Introduction to DAOS - Domino Attachment and Object Service
• It is not “Shared Mail” (Shared Mail developers are doing something
else)
• Will keep only one instance of each attachment – unless:
• Message is encrypted
• It is a Server feature – Local Replicas will get all attachments
• Cluster is supported but each server handles DAOS independently
• DAOSCatalog.nsf keeps all relationships information
• DAOS is configured per server (Not per Domain)
• DAOS is green: less data = less storage/space needed = more savings
• Attachments are now stored as encrypted .NLO files (by default)
• Transparent to end users and applications
• It requires Transaction Logging (TXN) - (That’s ok, TXN is cool)
• Follow Transaction Logging Best Practices
http://www-01.ibm.com/support/docview.wss?rs=203&uid=swg27009309
Introduction to DAOS - Domino Attachment and Object Service
Introduction to DAOS - Domino Attachment and Object Service
DAOS Benefits
• Disk space savings• Also keep in mind Design and Data compression
• Backup times
• Mail routing optimization when attachments are involved
• Database compact will run faster since file size is reduced
• I/O Transactions are reduced
• Reducing view rebuild times
• DAOS files can be located at:
• Network drive
• SAN/NAS
• Local drive
DAOS Estimator Tool
• Free
• Will tell you how much space you will save before upgrading
• Tested on Domino 6.x and later (but it can run on Domino 5)
• Output:
• Get it here – IBM Technote #4021920
http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg24021920
Configuring DAOS
Configuring DAOS
• DAOS disabled by default
• Remember to apply Fix Pack 1
Enabling DAOS
• Go to Server Document > DAOS
• Change it to Enabled
Enabling DAOS
• Set the minimum size based on the OS bytes per cluster and number
of attachments to be created. Example = 64 KB
• Specify DAOS base Path
• Set Defer Object Deletion (Number of days DAOS will wait to delete
the NLO file after the last message pointing to it has been deleted)
• Save and Close
• Restart server
Configuring DAOS
• Sh Server – TXN and DAOS must be enabled
Upgrade to ODS 51
• DAOS requires ODS 51
• Add CREATE_R85_DATABASES=1 to server’s notes.ini
• Update to ODS 51 using Load compact –c
• ODS 51 will also compress the notes database
- Mail file reduction when upgraded to ODS 51 = 27 MB vs 12 MB
DAOSify Applications and Templates
• Use:
•Load compact <folder/apps> -c –daos on
Or
• Check application property
• load compact <folder/apps> -c
• Enable DAOS at least for Mailxx.ntf
and Mailbox.ntf (So you don't need to enable it
again and again and again....)
Looking at the space savings
• After sending 2 emails – 5 MB and 30 MB
• LZ1 Compression is also used when creating the NLO files
More DAOS Information
• How many attachments were moved to DAOS
• Total size of attachment moved to DAOS
• This is a production Mail file..
Disabling DAOS
• If DAOS is disabled only at the server document
• Old messages will stay in the DAOS folder
• New messages will be stored in the DB
• To Disable DAOS at the application level
load compact <folder/app> -c –daos off
It will restore the attachments to the application, and if the
attachment is not longer used by anyone else, it will be deleted
based on the “Defer Object Deletion for” setting
DAOS – Best Practices
• Backup Mail folder(s) first if backup is performed while server is
running (Very Important !!!!)
• Enabling DAOS on the Mail.box(es) will improve DAOS
processing time
• Enable DAOS on required Templates (Mailbox.ntf, Mailxx.ntf,
etc…)
• Do not enable DAOS to the Mail Journal
• DAOS encryption represents up to 5% cpu utilization. Evaluate
if needs to be disable (don’t worry too much about this)
• Evaluate location of DAOS Folder based on:
• I/O costs
• Storage Capacity
DAOS – Best Practices
• Do not play with the DAOS folder (It’s not a toy)
• Don’t move files
• Don’t delete files
• Let DAOS to handle NLO files
• Notes/Domino Best Practices: Transaction Logging (# 7009309)
• Using the Lotus Domino Attachment and Object Service
Estimator tool (# 7014980 )
• DAOS Backup and Restore (# 1358548)
DAOS – Best Practices
• Minimum size limit based on your system's disk block
fsutil fsinfo ntfsinfo <drive>
• DAOS Estimator tool can help you to define minimum value
ID Vault
• It is an optional feature that automates the most important ID related
operations
• Synchronize passwords across multiple copies
• Upload a copy of the user ID to the ID Vault
• Allows to reset a password from the Admin client
• Use method ResetUserPassword to create self-service applications
• Automates Key rollovers
• Automates user renames
• Allows to restore IDs in case of lost or corruption
• No need to have the ID when installing a new Notes client
• Audit role – allows to download a copy of the ID for auditing
purposes.
SECURE_DISABLE_AUDITOR=1 to disable it
ID Vault Requirements
• Servers hosting the Vaults or involved in the process must be 8.5
• Clients must be 8.5
• New Security view in both server and client’s log.nsf
• Multiple Domino Domains are not supported
• But Multiple Organizations within the same domino domain are
Configuring ID Vault
Configuring ID Vault
• Read carefully and click Next
Configuring ID Vault
• Enter the ID Vault’s name and some descriptive information. Click Next
• Remember.. You can create multiple ID Vaults
• The description will become the DB tittle
• Don’t name the ID vault as the Org, Domain, OU
Configuring ID Vault
• Enter a password and confirm it. Click Next.
• Optional: Set the ID Vault‘s id location (Yes.. You need to worry
about a new ID)
• Do not forget this password !!!
Configuring ID Vault
• Select your primary ID Vault server. Click Next
• You can add replicas of the ID Vault to other servers later
Important !!!! ID Vaults replicas cannot be created using standard
“Create Replica” process – You must use ID Vault > Manage ID Vault
Replicas
Configuring ID Vault
• Select the ID Vault administrators
Configuring ID Vault
• Select the Organizations or OUs that should be part of this ID Vault
Configuring ID Vault
• Add the users authorized to reset passwords
• Users/Servers with the “Password reset agent authority” will be able to
sign agents that can reset passwords.
Configuring ID Vault
• Select “Create a new policy assigned to an organization”
• It will create an organizational policy
• There are multiple options here…. Be my guest !
Configuring ID Vault
• Select the Org to which this policy will be assigned.
Configuring ID Vault
• Enter some information to help the user contacting the right team or
anything that may help.
• This field supports html
ID Vault
• Review all the details and click Create Vault.
• You will be asked for one or more Cert Ids (based on the Org applied to
the ID Vault)
ID Vault
• Cool !!!! We have created our first ID Vault
ID Vault
• Let’s see our new Policy
ID Vault
• and our ID Vault
ID Vault – Best Practices
• Here is our first user’s id uploaded to the Vault.
• It may take some time to upload the ID (the first time)
• ID File is encrypted
Administering ID Vault
ID Vault
•
Questions ??