Home
What's new in Domino 12?
Learn about all of the new features for administrators in HCL Domino® 12.
What's new in 12.0?
HCL Domino 12.0 introduces the following new features.
New security features and enhancements
These are the security features and enhancements provided with HCL Domino® 12.
Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
The TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.

What's new in Domino 12?
Learn about all of the new features for administrators in HCL Domino® 12.
- What's new in 12.0.1?
  HCL Domino 12.0.1 introduces the following new features.
- What's new in 12.0?
  HCL Domino 12.0 introduces the following new features.
  - New install and setup features and enhancements
    These are the install and setup features and enhancements provided with Domino 12.
  - New security features and enhancements
    These are the security features and enhancements provided with HCL Domino® 12.
    - Improved management of TLS certificates
      HCL Domino® 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.
    - Time-based one-time password (TOTP) authentication
      When users log on to a Domino Web server, you can require that they provide time-based one-time passwords in addition to their user names and passwords.
    - Enforce internet password lockout based on IP address
      Starting with HCL Domino® 12, you can enforce internet password lockouts for users who are not in the directory according to IP addresses.
    - TLS 1.0 is disabled by default
      Domino 12 disables Domino's support for TLS 1.0 by default, leaving TLS 1.2 as the currently supported TLS protocol version.
    - Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
      The TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.
    - New template signing ID uses 2048-bit keys
      A new template signing ID, CN=Domino Template Development/O=Domino, provides stronger encryption using 2048-bit keys. Templates that are new or modified in Notes and Domino 12 are signed with the new ID.
    - NRPC port encryption supports forward secrecy using X25519
      Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.
    - Import internet certificates that contain unsupported critical extensions
      You can now allow internet certificates that contain critical extensions that are unsupported by Domino to be imported into the Domino directory or Notes personal address book.
    - Suppress key rollover alerts during ID vault synchronization
      You can disable the key rollover alert that is shown routinely when a Notes ID is synchronized with the ID vault.
    - New Query Vault command options
      The Query Vault (qvault) command provides options to inactivate and reactivate user's ID vault documents.
    - Upload IDs to the vault manually
      Vault administrators and users can upload IDs to the ID vault manually through the Domino directory.
    - Support for SameSite cookie
      You can now configure the SameSite cookie attribute to enable a Domino Web server to assert that browsers can only send cookies that originate from the Domino server Web site.
    - Web server GET /names.nsf?Login requests prevented by default
      For improved security, Domino 12 Web servers do not allow GET /names.nsf?Login requests by default.
    - New Web server login form
      The login form $$LoginUserFormMFA is provided as a modern-looking login form for Web users. The login form is required if you configure time-based one-time password (TOTP) authentication but can be used even if you don't use TOTP.
  - New DAOS features and enhancements
    HCL Domino® 12 provides the following new features and enhancements for Domino Attachment and Object Service (DAOS).
  - New features related to the end-user experience
    The following features relate to the HCL Notes® end-user experience.
  - Replication enhancements
    HCL Domino® 12 provides these replication enhancements.
  - Backup and restore capability
    Backup and restore capability is integrated with Domino 12 servers.
  - Stand-alone Domino directory enhancements
    The new Domino directory design (pubnames.ntf) provides several stand-alone enhancements that improve usability for administrators.
  - Users in Active Directory can sync their Windows passwords
    Active Directory password synchronization enables Windows users whose Active Directory information is synced to Domino to apply their Windows passwords to their Domino HTTP and Notes ID passwords.
  - Administration Process support for updating names in Verse user profiles
    The Administration Process rename person request now updates names in HCL Verse user profiles.
  - New ODS level
    HCL Domino® 12 introduces a new on-disk structure (ODS) version for databases: ODS 55.
  - MarvelClient Essentials integration
    The following improvements have been made to the integration of MarvelClient with Domino.
  - Entitlement tracking
    As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.
  - Domino OSGI Tasklet Service (DOTS) is available again
    DOTS is available again in Domino 12.
  - New Java™ Runtime Environment
    A new Java™ Runtime Environment (JRE) is provided with HCL Domino® 12 and HCL Domino Designer 12.
  - TCP/IP port buffer size
    Domino 12 has changed the TCP/IP port buffer default size from 4000 to 8000.
- Components no longer included in this release
  The following components are no longer included.

Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy

The TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.

These curves are in addition to the curves introduced with the ECDHE ciphers in 9.0.1 FPx: NIST P-256, NIST P-384, and NIST P-521. X25519 and X448 offer better performance and space efficiency than the equivalent NIST Prime curves and are simpler to implement in an error-free fashion. The Wikipedia page for Curve25519 summarizes many of the reasons to prioritize use of these new curves.

The elliptic curve used for forward secrecy is negotiated dynamically as part of the TLS handshake: the client sends its list of supported curves in preference order, and the server picks one that both sides support. Domino's new ordered preference for ECDHE is:

X25519
NIST P-256
X448
NIST P-384
NIST P-521

Each of these curves can be disabled with a corresponding notes.ini:

SSL_DISABLE_CURVE_X25519
SSL_DISABLE_CURVE_P256
SSL_DISABLE_CURVE_X448
SSL_DISABLE_CURVE_P384
SSL_DISABLE_CURVE_P521