Remove Administrators from the CA Process BEFORE deleting them from the Domino Directory

A customer recently reported they were having issues adding people to the Certificate Authority (CA) process.  When they attempted to add people, they received the message “Cannot locate user certificate. Make sure server contains your certificate for encryption” as shown in the graphic below.


The customer had already done due diligence and verified their location document had the field “Home/mail server” set to the server where the ICL database resided, therefore meeting the requirement that the server listed in this field be in the same domain as the encrypting server for the CA.  Additionally, they ensured the field “Mail file location” was set to ‘Server’ and not ‘Local’ as that is also a requirement.

My first step was to check the status of the CA process on the server via tell ca status.  Everything was fine. I next examined the certifier being used, there were no issues found.  I now turned my focus to the ICL database.  The most recent IDStorage document had been last modified on July 12 2016.  That was over 3 months ago, so something else was amiss.

With this knowledge in hand, I clicked the ‘Advanced’ button on the Modify Certifier dialogue to attempt to replace the certifier ID and/or repair the ICL database.  This resulted in the same error, of user certificate could not be located.  The next step was to determine if there were any invalid Notes certificates in the person documents for the administrators that had been added to the CA process.  Once I had the list of CA administrators, I did a quick lookup of each of these users in the Domino directory.  What I discovered is that one of the CA administrators was no long in the directory.  This now explained the error message as every time the CA Process is updated, the certificates of all current users are verified.  Because this user was no longer in the directory, their certificate could not be located.

I had a copy of their Domino directory from earlier in the year stored locally, so I was able to copy the person document of that administrator back into their directory.  I then went into Modify the CA Process, removed the administrator that was no longer with the company, and the CA Process updated successfully as shown in the graphic below.


At this point I deleted the person document, using the delete key, not invoking the AdminP process using Delete Person as the user had previously been removed from the domain.

The moral of the story is to always remove an administrator from the CA process BEFORE deleting them from the Domino Directory as AdminP does not update the CA Process as part of the Delete Person process.

Engage 2016 User Group Conference

Engage2016 Logo

I had the opportunity to present at the Engage 2016 user group conference last week in Eindhoven.  I was extremely impressed on all levels.  Thank you to Theo Heselmans for the opportunity to speak at this event!  The session titles, abstracts and links to the presentations on SlideShare are below.


Adm02 Be a Domino Detective: Tackling Your Toughest Performance Problems


Abstract: Become a Domino performance investigator.  This session will teach you industry best practices for Domino performance optimization.  Learn how to take abstract symptoms like “Notes is slow” and break it down to a resolvable problem.  See the methodology and tricks involved to find the true culprit using tools such as semaphore timeouts, memory dumps and server monitoring.  Understand what impact running with obsolete tuning parameters can have on your environment. You will learn the best tips to implement along with do’s and don’ts for ensuring your Domino environment will perform optimally.


Adm07 The Health Check Extravaganza for Social and Collaboration Environments


Abstract: Are you concerned about your infrastructure being configured correctly? Do you have problems happen that you don’t know how to prevent? Do you think your servers might have room for improvement? Wonder no more. This session will show you what you need to be looking at to ensure your server environment is running as cleanly and efficiently as possible. You will learn what you need to be looking for in your server configuration, problems found at numerous customer environments and what steps should be taken to remedy the various situations covered in this session. Be preventative, not reactive! Performing a health check is one of the most economical ways to ensure your social and collaboration environments are running properly.

Keeping Your IBM Collaboration Environment Healthy

One of the critical things my company does for businesses is keeping their IBM Collaboration environments healthy.  We do this by reviewing the current environment and infrastructure, detailing our findings and making specific recommendations for improvement.  In doing this work, we have noticed patterns of findings.

At the Connect 2016 conference, myself and my colleague Luis Guirigay are presenting “The Health Check Extravaganza for Social and Collaboration Environments“.  We will be sharing with you our collective knowledge of our experiences in working with numerous customers in evaluating their collaboration environments.  We will share with you what you need to be looking at to ensure your server environments are running as cleanly and efficiently as possible.  Our goal is to be preventive, not reactive!

Performing a health check is one of the most economical ways to ensure your social and collaboration environments are running properly.  I hope to see you at our session today, Tuesday, February 2nd, at 1:15 PM in room Lake Highland.

2-1-2016 12-27-39 AM


Impact of Lack of Memory on CPU Usage

One of our customers asked me to analyze the performance of the IBM i LPAR that hosts their primary Domino and Sametime servers as they had some concerns.  The LPAR hosts 5 Domino servers (Mail, Application, Administration, Sametime, and Dev/Test) along with the Sametime DB2, SSC, Proxy, and Meeting servers.

My analysis revealed quite high CPU utilization at times, in addition to faulting issues in the *BASE memory pool. The *BASE memory pool is pool 2, where all of the Domino and WAS-based Sametime servers run by default. Some of the Domino servers (Administration, Dev/Test, and Domino Sametime) had previously been moved to separate memory pools.

To determine which servers were causing the bulk of the faulting the *BASE pool, I created a query against the QAPMJOBL performance monitor database file.  The two top faulters were the Mail and Application servers.  I made a recommendation to move the Mail and Application servers to their own memory pool, allocating 36 GB of memory to each memory pool as a starting point.  I also recommended moving the Administration, Dev/Test, and Domino Sametime server back to the *BASE memory pool. This quite dramatically changed the memory allocations on the server.

The table below shows the memory allocations as they were when I performed my analysis.

Memory Pool Allocations Prior

This next table shows memory allocations after implementing my recommendations.

Memory Pool Allocations After

My memory tuning recommendations were implemented on October 25th.  The impact on CPU utilization was quite dramatic as shown in the graphic below.

CPU Utilization After Memory Pool Adjustment

Proper memory allocation is key for the best Domino performance!




Traveler server with Red status and long running push threads

We had a customer contact us recently about their Traveler server. The server was reporting a status of Red, CPU on the server was extremely high, and there were a number of these errors in the log file:

Traveler:  User CN=User Name/O=Org on thread Push-1ca3 has been running for 8820 minutes.

One correlation for the users reporting this error, they were all Android users.  No other device types were reporting this error.

In digging a bit deeper, we saw this error for each affected user in the log:

SEVERE  Push-14ad9 User Name[Android_f5a7931af273cbdc] ConnectionNotificationSenderGCM$ There was an issue sending the notification message to the Google Cloud Messaging (GCM) server. 3 attempts to re-establish the connection have failed, so the notification message cannot be sent. You can test network connectivity including firewall settings by trying in a web browser on this server. Exception Thrown: Connection reset

Running a trace from the physical server the Traveler server is hosted on revealed an inability to connect to

Google Cloud Messaging (GCM) became available in Traveler  It is the default synchronization option for Android devices when they download the or later IBM Verse client.


The fix to this issue is two-fold:

  1. Enable GCM push via notes.ini NTS_PUSH_ENABLE_GCM=True and restart the Traveler server.
  2. Ensure the Traveler server can connect to


I Have Moved My Blog

Welcome to my new blog!

I had previously blogged on, however that site is now defunct, so I have moved my blog. I chose for my new blog as my blog handle on BleedYellow was DominoDiva.

I am very much looking forward to getting back into blogging!!