#Security

Posts tagged #Security · 5 posts

• Security Release Notes

  Domino 14.5 Mandated Port Encryption Hands-On — CheckPortEncryption Agent, portenc Commands, and Recovery Paths

  Following yesterday's concept piece, this article walks through the official 10-step enablement procedure: upgrade the server address book design, sign the CheckPortEncryption scheduled agent, key Directory Profile fields, server ini values (DEBUG_MANDATED_ENCRYPTION, MANDATEDENC_ACTIVE_REFRESH_TIME), Desktop policy entries (DISABLE_MANDATED_ENCRYPTION), the portenc refresh / show console commands, and how to back out if enforcement breaks something. Pre-14.5 servers get their own behavior section.

  2026.05.12 →
• Security Release Notes

  What That `?` Icon Means in Domino 14.5 — Mandated NRPC Port Encryption Concepts and Modes

  After upgrading to Domino 14.5, admins see a new `?` icon in the rightmost column of the server view in the Domino Directory. It's not a bug — it's the compliance indicator for the new Mandated NRPC Port Encryption feature, sitting in its default disabled state. This piece walks the history of NRPC port encryption, what 14.5 actually adds (mandate + monitor), how to read the icons, and the three enablement modes. Hands-on enablement steps are in the follow-up article.

  2026.05.11 →
• LotusScript Security +1

  Domino 14.5 Changes Where NotesHTTPRequest Loads Trusted CAs From — Read Before You Upgrade

  Starting with Domino 14.5, server-side LotusScript NotesHTTPRequest loads trusted root CAs from the Domino Directory by default, no longer from cacerts.pem in the data directory. The Notes client is unaffected, and a notes.ini fallback (NotesHTTPRequest_Use_CACerts=1) reverts to the old behavior — but long term, you should migrate self-signed CAs into the Domino Directory. This piece walks the change, scope, pre-upgrade checklist, and ties back to the 5/7 deep-dive on the NotesHTTPRequest toolchain.

  2026.05.10 →
• DQL LotusScript +3

  DQL Production-Ready: Catalog Maintenance, Permissions, and sessionAsSigner

  The two real walls when shipping DQL to production: how the Design Catalog gets maintained automatically (bootstrapping brand-new NSFs, incremental refresh after design changes), and why regular users hit the 'You don't have permission' error — plus the sessionAsSigner / scheduled-agent solutions. The final pattern is verified against Domino 12 production logs, with a production-ready Java helper class to drop in.

  2026.05.03 →
• Tutorial Domino Server +2

  Domino V12 lets notes.ini hold multiple HTTPAdditionalRespHeader entries

  Older Domino releases let you put exactly one HTTPAdditionalRespHeader in notes.ini — a second line silently overwrote the first. HCL added a numbered convention (HTTPAdditionalRespHeader01, 02, …) in V12.0.x so you can ship a full security-header baseline through notes.ini alone, which is the only path that still works when HTTP won't start and the Internet Site documents are unreachable.

  2026.04.28 →