AdminCamp ’15 · 2016-07-09 · AdminCamp 2015 –Sept. 21-23 Notes & Domino –> mit Verse und...
Transcript of AdminCamp ’15 · 2016-07-09 · AdminCamp 2015 –Sept. 21-23 Notes & Domino –> mit Verse und...
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
AdminCamp ’15Closing General Session
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Who Am I?
Administrator & Developer since version 2.0
IBM Lotus Beacon Award Winner
Services Site Performance Reviews
Legal Case Consulting
Application Development
Administrative Overhaul
Security Review & Penetration Testing
Products NCT Search
NCT Compliance Search
NCT Simple Sign On
NCT SAML for Domino 7+
Structural Firefighter
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
About this Presentation
It’s almost time to go home – Let’s have a bit of fun
Each short section is meant to stand on it’s own IF you have to leave, that’s ok
The longer you stay, the more you may find interesting
What’s in these slides?
A selection of brief suggestions for Domino Administrators
Taken from key points of several presentations
A selection of strange but true facts
These have nothing at all to do with IBM Domino
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
DID YOU KNOW?
The lighter was invented
before the match
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Let’s Talk About Disk SpeedWill SSD (Flash) drives really help?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Solid State Drives (SSD)
Also known as “FLASH” drives
Getting more common on Laptops, Netbooks
Reliability Issues are Largely Resolved
VERY Fast READ Times
Write Performance Quickly Degrades This is changing quickly, but still the case for most uses
Windows 7 & Windows Server 2008 R2 Support “TRIM” http://en.wikipedia.org/wiki/TRIM
Good for Program Files, Java Libraries
Bad for NSF Databases, Indexing, Translogs
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
SSD Performance Problems with Indexing
View Indexing creates lots of very small, temporary files
Solid State Drives do not handle tiny files as well
Typical spinning drives write in sectors of 512 bytes Newer drives, designed after 2011, use 4kb sectors.
The smallest unit an SSD can write is a “Block” which can be anywhere from 256kb to 4mb in size. To write a smaller amount of data to a block, the entire block is still written. If there is existing
data in part of a block, the whole block is read, altered in memory, then re-written.
The Samsung EVO 840 – a current high quality SSD, uses a 2mb block size. This is 500 times larger than a spinning drive
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
New Cached Controllers Save Money
SATA RAID w/ SSD Cache Drives Allow inexpensive spinning SATA Drives in RAID Configurations
Attach 128GB or 256GB SSD for Read/Write Cache
Cache drive is connected directly to the controller
The controller manages the cache
Benefits All the safety, hot-swap, and management of RAID
All the performance of an SSD
SATA Drive are CHEAP CHEAP CHEAP
Product Examples: Adaptec 6805Q with MaxCache 3.0
LSI MegaRAID SAS 9271-8i
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
If you have 23 people in a room,
there is a 50% chance that
two of them have the
same birthday
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Look at that View!The better you make your database views work,
the faster your server will be
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Use the “Manage Views” Admin Client Feature
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Switch @Responeses to @AllDescendants
NO visible difference to users
Can reduce view sizes drastically
View #2 is 153 Times the Size of #1 and has the EXACT same content
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Limit Sorted Columns
Each Additional Sorted Column Can DOUBLE the size of the view index
5 Sorted Columns? In our 30k Doc Example, Our 6mb View could become:
6mb * 2 * 2 * 2 * 2 == 96 mb
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Oxford University
is older than the
Aztec Empire
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Authentication BuzzwordsThe minimum you need to know
about SAML and OAUTH
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
OAUTH Acts like a “valet key”
The ‘Client’ gets its own set of credentials to access your account
You can limit what those client credentials may do on your behalf
Allows you to control or revoke access on a case by case basis.
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
OAuth Terminology
Resource Owner: Who’s Content Is it?
Client: Who wants to access the content?
Server: Where does the content live?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
SAML Overview
SAML is a very rich and detailed specification which provides for passing identity along with meta data between an Identity Provider and one or more Service Providers
Data is passed in XML packages Generally using http protocols, but not necessary always. The XML can be passed almost any
way.
Packaged XML can be signed, encrypted, both, or neither
Communication can be made directly between the SP and the IdP or the XML packages can be passed by the requesting client. Usually, the packets are passed by the requesting client as part of the http GET or POST data
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
SAML Terminology
Security Assertion Markup Language
IdP – Identity Provider Oracle Identity Manager
IBM Tivoli Federated Identity Manager
Microsoft Active Directory Federation Services
SP – Service Provider Your Domino Server
Assertion – What the IdP tells the SP
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Humans went to the moon before we figured out that it would be a good idea to put wheels on suitcases
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Let’s Talk About HTTPHere’s some settings most people don’t ever touch
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Server Wide HTTP Settings - Basics
• Host Name is used by the server when generating references
• DNS Lookups only need to be on if you are logging and want the DNS name of the requesting clients
• The Number of Active Threads is critical for performance tuning!• We will visit this setting at length
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Domino HTTP Threads
One web page may require several threads- One thread per HTTP/HTTPS Request
• Including every image, script, and style sheet
- Any agent uses a thread of it’s own
• Including WQO and WQS agents
Traveler uses 1 thread per device
Domino default is 40 threads
Traveler will change this using an INI parameter- NTS_MAX_HTTP_THREADS
- 32 bit Traveler Server: 100
- 64 bit Traveler Server: 400
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Deciding How Many Threads to Allocate
Thread pooling means waiting for page loads• Like a line for checkout at the grocery store
Up to 40k Per Thread- Can be an issue – especially on 32 bit servers
Show Statistics to determine need- Domino.threads.active.peak
- http.currentconnections
- http.peakconnection
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Domino Thread Pooling Methods
Configured in the NOTES.INI- HTTPQueueMethod = 0
• Default Prior to 8.5.1
• Simple Round Robin – You get in the next line regardless of how many are in it already
• If you get in the wrong line, you wait, even if another line is open
- HTTPQueueMethod = 1
• Optimized Line Assignments – You get put in the shortest line at the time you arrive
• If your line takes a long time, you’re stuck in it
- HTTPQueueMethod = 2
• Default For 8.5.1+
• There is only one line, each request gets the next available thread
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Let the browser cache common items
Resources that don’t change frequently can be cached
JPG
PNG
GIF
MOV
MP3
MSI
MPG
ZIP
EXE
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Don’t Advertise Your Server Type
HttpDisableServerHeader=0 (Default)
HttpDisableServerHeader=1
Once you disable the default You can use an HTTP Response Header rule to use any value you want for the server
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
No square piece of paper can be folded in half more than 7 times
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Here are more obscure HTTP settings to worry about
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Server Wide Settings
• Listen Queue Size• This is all the sessions waiting for an active thread
• Setting it higher will probably hurt, not help
• The operating system also limits the queue size
• Maximum Number of concurrent sessions• Very little documentation available
• Should be at least as high as the number of threads
• Probably best to leave it alone
• Persistent Connections• Disable on most servers after version 5
• It is now faster to re-establish the session than hold it open
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Tuning HTTP Memory Usage
HTTPUseNotesMemory & iNotesUseNotesMemory- Setting to 0 will use the OS memory management routines
• Better memory utilization & performance (slight)
• Less debugging information available
HTTPJVMMaxHeapSize- Introduced in 8.5 to govern the memory used by the HTTP JVM
- JavaMaxHeapSize is similar but applies to all JVM processes
- The default value in 8.5 is 256Mb
- The default value in 8.5.2 is 64Mb
- On IBM iSeries 256Mb is required
- On 64 bit machines with plenty of memory you can set much higher
JavaStackSize- Default is 409600 (400kb)
- You only need to increase this if your has deeply nested function calls and recursive algorithms.
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Multiple SSL Certs on One Server
Yes! It Can Be Done
EVERY Web Site Definition MUST be bound to a UNIQUE IP address -- NOT bound to DNS Name
That’s all it takes
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
The same Domino Session Token for different Domains
Thank Paul Mooney for this one!
Create the LTPA Token in the web sites view for the first domain.
Copy and Paste a copy of that document, creating a duplicate
Edit the duplicate copy to change the domain
That’s all it takes
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
HTTPD.CNF
• MIME type configuration
• If you make changes mark the file read-only and back it up
• This file will be over-written during server upgrades
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
The arteries of a
blue whale are
so large, that a
human could
swim through
them
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
SMTP Routing
Here’s a cheat sheet
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
SMTP Routing in a Nutshell
Server Documents except the server that will route smtp Set "SMTP Listener" to Disabled
Set "Routing Tasks" to "Mail Routing" – but not "SMTP Mail Routing"
Create a "Foreign SMTP Domain" Domain Document Route *.* to "OurFakeName"
Create a Connection Document Type: SMTP
Source Server: The domino server with smtp
Destination Server: MAKE UP a name
Destination Domain: "OurFakeName"
Routing Task: SMTP Mail Routing
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
The earth is smoother
than a billiard ball,
if both were the
same size
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
To a security consultant, there are only 2 Levels of Paranoia
1. Absolute
2. Insufficient
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Here’s why you should tighten up your ECLs
Send a message to someone with a link
The link is actually a hotspot
The hotspot actually opens the page indicated
The hotspot also does other things
User Impersonation Attack
Very Difficult To Spot
The ECL Hack
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
ECL Hack Code
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
ECL Hack Result
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
220 mail.domain.ext ESMTP Sendmail (version); (date)
HELO local.domain.name250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you
MAIL FROM: [email protected] 2.1.0 [email protected]... Sender ok
RCPT TO: [email protected] 2.1.0 [email protected]... Recipient ok
Subject: whatever you want250 2.1.0 [email protected]... Subject okThis is the message body....250 2.0.0 ???????? Message accepted for deliveryQuit221 2.0.0 mail.domain.ext closing connectionConnection closed by foreign host.
The SMTP Hack
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
DID YOU KNOW?
The
Mona Lisa
has no
eyebrows
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
One Last TipMake your Client load faster
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
Notes 8 Client Tweak
To make the Eclipse based client load faster
Open this folder:
{NotesProgramDirectory} \framework \rcp \deploy
Prior to 8.5.1 use this folder instead:
{NotesProgramDirectory} \framework \rcp \eclipse \plugins \com.ibm.rcp.j2se.{Version}
Edit the file: jvm.properties
Change the line: vmarg.Xmx=-Xmx256m
So that it reads: vmarg.Xmx=-Xmx512m
Note: You can set it higher, but aim for no more than half of your available RAM
Readers on my blog overwhelmingly report fantastic results with this one
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
The Electric Chair was
invented by a Dentist
DID YOU KNOW?
Notes & Domino –> mit Verse und On-PremisesAdminCamp 2015 – Sept. 21-23
DID YOU KNOW?