We installed Traveler around 2010 on Ubuntu and have been upgrading Ubuntu (via do-release-upgrade) and Domino and Traveler in-place. However, we want to move Ubuntu to 64-bit. Therefore, we are installing a new VM.
WARNING:
Ubuntu is not a supported OS for Domino server. Domino runs great on Ubuntu, and in a smaller footprint with the server minimal install. However, IBM/HCL may not support your installation for a Passport support ticket.
STEP 1: Install and Prep New Server:
Install the 64-bit desktop addition of Ubuntu 18.04. Choose the minimal option during set-up (unless you want a desktop).
After reboot update the system:
$ sudo apt-get update
$ sudo apt-get upgrade
Install Prerequisites:
$ sudo apt-get install openssh-server
$ sudo apt-get install net-tools
$ sudo apt-get install ttf-xfree86-nonfree
$ sudo apt-get install gcc
$ sudo apt-get install gdb
$ sudo apt-get install unzip
$ sudo apt-get install bc
$ sudo apt-get install perl
Note: BC, Perl, Unzip, and GDB were all already installed for us.
Increase file-handles and processor-handles for Domino. Update limits:
$ sudo vi /etc/security/limits.conf
Add the following, update the "notes" user if your domino user is something different.
notes soft nofile 60000
notes hard nofile 80000
notes soft nproc 12500
notes hard nproc 12500
Configure UFW:
$ sudo ufw allow proto tcp to any port 22 from 192.168.n.0/24
$ sudo ufw allow proto tcp to any port 22 from 10.0.n.0/24
$ sudo ufw allow proto tcp to any port 1352
$ sudo ufw allow proto tcp to any port 443
$ sudo ufw allow proto tcp to any port 80
$ sudo ufw allow proto tcp to any port 8642
$ ufw enable
$ ufw status
Set-up the server with a static IP.
Note: If you use the GUI tool, you'll have to actually stop and restart networking. The Apply button doesn't restart the network like you'd expect.
$ sudo vi /etc/network/interfaces
Update like following:
auto ens160
iface ens160 inet static
address 192.168.n.123
netmask 255.255.255.0
network 192.168.n.0
broadcast 192.168.n.255
gateway 192.168.n.1
dns-nameservers 192.168.n.1 123.123.123.123
dns-search mindwatering.internal mindwatering.com
$ sudo service networking restart
Create the new server user (e.g. notes or lotusnotes):
$ sudo useradd -d /home/notes -m notes
$ sudo passwd notes
If you are swinging the Domino install (moving a virtual disk), then attach it via fstab.
$ sudo vi etc/fstab
Create the notesdata folder:
$ sudo mkdir /local/notesdata
$ sudo chown -R notes /local/notesdata
$ sudo chgrp -R notes /local/notesdata
STEP 2: Transfer /local/notesdata to the New Server:
Use FileZilla or some other utility (e.g. rsync) to copy all of /local/notesdata to the new server.
Server OLD /local/notesdata/ --> NEW /local/notesdata/
There can easly be 100000 files easy to transfer. Therefore, I use sshpass and rsync typically, since it's much faster. Below is my command line to copy from the old server to the new server:
$ sudo apt-get install sshpass
Connect mannually to get the old server's SSH key:
$ ssh sysadmin@10.10.10.10
Now we can perform transfer:
$ sudo sshpass -p ' myoldserverpassword' rsync -avz --no-perms --no-owner --no-group sysadmin@10.10.10.10:/local/notesdata/* /local/notesdata/
Change the ownership again as necessary:
$ sudo chown -R notes /local/notesdata
$ sudo chgrp -R notes /local/notesdata
STEP 3: Install Domino:
Replace the bash/sh:
For Ubuntu, we need to update the shell, so that it uses /bin/sh, a.k.a. bash.
Note: You could update the notes user's .profile instead. There are a few different solutions for this.
Replace / relink sh:
(The server script uses /bin/sh, we do this to ensure we are using bash, not dash. These instructions will save the old config with old in-case you wish to every put it back. )
$ sudo mv /bin/sh /bin/sh-old
$ sudo ln -s /bin/bash /bin/sh
Install 64-bit Domino:
Notes:
Copy the install files for Domino to the server (e.g. /home/notes/tmp)
You must end up w/a Domino version same or higher than one one being copied. To the server it will look like an upgrade. For example, if the old server is Domino 9.0.1 FP7, install the full Domino 9.0.1, and then
$ cd /home/notes/tmp/
$ sudo tar -xvf DOM_SVR_V10.0.1_64_BIT_Lnx.tar
$ cd linux64/domino
$ sudo -s
# ./install
... answer "yes" to continue in console mode
.. 1 for Next
.. 1 to accept the agreement
.. 0 for no partition upgrade and to continue
.. 1 for Next
.. <enter> to take default program directory ( /opt/ibm/domino )
.. <enter> to take No for partitioned server
.. 1 for Next
.. <enter> to take default data directory ( /local/notesdata/ )
.. 1 for Next
.. <enter> to take the domino server's user name ( notes )
.. <enter> to take the domino server's group name ( notes )
.. <enter> to take the option to setup server manually ( X Manual - 0 )
.. 1 for Next
.. 0 for Domino Enterprise Server
.. 1 for Next
Review installation answers for accuracy.
.. <enter> to read down the page
.. 1 for Next
After installation, we need to redo the FT and view indexes:
# su notes
$ cd /local/notesdata
$ /opt/ibm/domino/bin/fixup -F
(wait)
$ /opt/ibm/domino/bin/compact -c
(wait)
$ /opt/ibm/domino/bin/updall -R
(wait)
Test the install:
# su lotusnotes
$ cd /local/notesdata
$ /opt/ibm/domino/bin/server
$ exit
Remove the install directory:
# rm -rf /home/notes/tmp/linux64/
Add a soft link for dbmt. It's needed by the autostart scripts.
$ cd /opt/ibm/domino/bin/
$ sudo ln -s /opt/ibm/domino/bin/tools/startup dbmt
Autostart service files:
(We like the Nashed ones.)
In file domino, update the DOMINO_USER and DOMINO_START_SCRIPT path to the rc_domino_script.
In file domino.service, update the User line to your OS LInux Domino user, update the ExecStart and ExecStop to /opt/ibm/domino/...
In file rc_domino_script, updated the DOMINO_CONFIG_FILE and the DOMNO_DEFAULT_CONFIG_FILE path to the /etc/domino/rc_domino_config, and update the $DOMINO_USER line 42, from notes to your Domino OS username as needed, and update line 45, LOTUS path to /opt/ibm/domino.
In file rc_domino_config_notes, update the LOTUS path line to /opt/ibm/domino.
# cd /home/sysadmin/tmp/
# mv domino /etc/init.d/
# mv rc_domino_script /opt/ibm/domino/
# mkdir /etc/domino/
# mv rc_domino_config_notes /etc/domino/
# mv domino.service /etc/systemd/system/
Make sure all but the config file are executable.
# service domino start
or
# systemctl start domino.service
_______________________________________________________________________
Post Install
In Domino 9.0.1, the server supported TLS 1.2 by adding notes.ini settings. Those are now IGNORED in Domino 10.0.x.
Make sure you have both a Web Internet Site document and a SMTP Incoming Internet Site document. Enable the ciphers to be used. The Domino server automatically ranks them on strength. If you do not set these up, will see the following error messages:
For the HTTP/Web, Internet Site document, the error message for not setting this up will be:
- TLS/SSL Connection 123.123.123.123 (12345) -> 321.321.321.321 (443) failed with no supported ciphers
- In Firefox, the error will be: SSL_ERROR_NO_CYPHER_OVERLAP
For the Incoming SMTP, Internet Site document, the error message for not setting this up will be:
- TLS Connection Failed - No supported Ciphers. 0 Messages Received.
For the LDAPS, Internet Site document, the error message for not setting this up will be:
- TLS/SSL Connection 123.123.123.123 (12345) -> 321.321.321.321 (636) failed with no supported ciphers
New Install Security Audit:
Settings to check/change when upgrading or a new first-server install.
1. Update Person Doc Secure Internet Passwords Setting in Directory
Admin client --> People and Groups tab --> People --> MW Directory (names.nsf) --> Edit Directory Profile, change Use more secure Internet passwords --> Yes - Password verification compatible with Notes/Domino release 8.0.1 or greater
2. Update WebSSO document.
Admin client --> Configuration tab --> Web --> Web Configurations --> Web SSO Configuration for : LtpaToken
Require SSL protected communication (HTTPS): Enabled
Restrict use of the SSO token to HTTP/HTTPS: Enabled
3. Update HTTP Headers in Web Site Internet Docs or Global Config
Search this app knowledge database for updating HTTP Headers in Domino.
4. Install TLS kyr/sth onto server. Use tell http show security to evaluate success and testing in browsers.
Search this app knowledge database for multiple ways to request and make keyrings for Domino
5. Verify your site using Qualys, SecurityHeaders, and ZAP to verify your SSL/TLS and your header usage.
_______________________________________________________________________
previous page
|