Home
What's new in Domino 12?
Learn about all of the new features for administrators in HCL Domino® 12.
What's new in 12.0?
HCL Domino 12.0 introduces the following new features.
New security features and enhancements
These are the security features and enhancements provided with HCL Domino® 12.
NRPC port encryption supports forward secrecy using X25519
Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.

What's new in Domino 12?
Learn about all of the new features for administrators in HCL Domino® 12.
- What's new in 12.0.1?
  HCL Domino 12.0.1 introduces the following new features.
- What's new in 12.0?
  HCL Domino 12.0 introduces the following new features.
  - New install and setup features and enhancements
    These are the install and setup features and enhancements provided with Domino 12.
  - New security features and enhancements
    These are the security features and enhancements provided with HCL Domino® 12.
    - Improved management of TLS certificates
      HCL Domino® 12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.
    - Time-based one-time password (TOTP) authentication
      When users log on to a Domino Web server, you can require that they provide time-based one-time passwords in addition to their user names and passwords.
    - Enforce internet password lockout based on IP address
      Starting with HCL Domino® 12, you can enforce internet password lockouts for users who are not in the directory according to IP addresses.
    - TLS 1.0 is disabled by default
      Domino 12 disables Domino's support for TLS 1.0 by default, leaving TLS 1.2 as the currently supported TLS protocol version.
    - Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
      The TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.
    - New template signing ID uses 2048-bit keys
      A new template signing ID, CN=Domino Template Development/O=Domino, provides stronger encryption using 2048-bit keys. Templates that are new or modified in Notes and Domino 12 are signed with the new ID.
    - NRPC port encryption supports forward secrecy using X25519
      Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.
    - Import internet certificates that contain unsupported critical extensions
      You can now allow internet certificates that contain critical extensions that are unsupported by Domino to be imported into the Domino directory or Notes personal address book.
    - Suppress key rollover alerts during ID vault synchronization
      You can disable the key rollover alert that is shown routinely when a Notes ID is synchronized with the ID vault.
    - New Query Vault command options
      The Query Vault (qvault) command provides options to inactivate and reactivate user's ID vault documents.
    - Upload IDs to the vault manually
      Vault administrators and users can upload IDs to the ID vault manually through the Domino directory.
    - Support for SameSite cookie
      You can now configure the SameSite cookie attribute to enable a Domino Web server to assert that browsers can only send cookies that originate from the Domino server Web site.
    - Web server GET /names.nsf?Login requests prevented by default
      For improved security, Domino 12 Web servers do not allow GET /names.nsf?Login requests by default.
    - New Web server login form
      The login form $$LoginUserFormMFA is provided as a modern-looking login form for Web users. The login form is required if you configure time-based one-time password (TOTP) authentication but can be used even if you don't use TOTP.
  - New DAOS features and enhancements
    HCL Domino® 12 provides the following new features and enhancements for Domino Attachment and Object Service (DAOS).
  - New features related to the end-user experience
    The following features relate to the HCL Notes® end-user experience.
  - Replication enhancements
    HCL Domino® 12 provides these replication enhancements.
  - Backup and restore capability
    Backup and restore capability is integrated with Domino 12 servers.
  - Stand-alone Domino directory enhancements
    The new Domino directory design (pubnames.ntf) provides several stand-alone enhancements that improve usability for administrators.
  - Users in Active Directory can sync their Windows passwords
    Active Directory password synchronization enables Windows users whose Active Directory information is synced to Domino to apply their Windows passwords to their Domino HTTP and Notes ID passwords.
  - Administration Process support for updating names in Verse user profiles
    The Administration Process rename person request now updates names in HCL Verse user profiles.
  - New ODS level
    HCL Domino® 12 introduces a new on-disk structure (ODS) version for databases: ODS 55.
  - MarvelClient Essentials integration
    The following improvements have been made to the integration of MarvelClient with Domino.
  - Entitlement tracking
    As of Domino 12.0, a new internal mechanism is provided for collecting the highest entitlement that individual users have across a Domino domain. When a user appears in the ACL of a database with Reader access or above and that person has the right to access the server, the user is said to be an entitled user.
  - Domino OSGI Tasklet Service (DOTS) is available again
    DOTS is available again in Domino 12.
  - New Java™ Runtime Environment
    A new Java™ Runtime Environment (JRE) is provided with HCL Domino® 12 and HCL Domino Designer 12.
  - TCP/IP port buffer size
    Domino 12 has changed the TCP/IP port buffer default size from 4000 to 8000.
- Components no longer included in this release
  The following components are no longer included.

NRPC port encryption supports forward secrecy using X25519

Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.

When NRPC port encryption is enabled on a Domino 12 server, forward secrecy using X25519 is now enabled by default. The following table describes the NRPC encryption algorithms used based on the version of the NRPC client connecting to a Domino 12 server using the default algorithms. A client can be a Notes client or a Domino server replicating with the Domino 12 server.

Table 1. NRPC encryption algorithms used by client version
NRPC client version	Algorithms used when connecting to Domino 12
Clients prior to V 9.0.1 FP7	RC4
V 9.0.1 FP7 and later FPs V 10 V 11	128 bit AES-GCM for network encryption and integrity protection and 128 bit AES tickets
V 12	256 bit AES-GCM for network encryption and integrity protection, X25519 for forward secrecy, and 128 bit AES tickets.

Note that use of the PORT_ENC_ADV notes.ini setting to configure NRPC port encryption overrides the default behavior. If you currently use the PORT_ENC_ADV setting and want to enable X25519 for forward secrecy, add 32 to your current value for that setting. The client side of the network connection advertises which algorithms it supports, and the server selects the most secure combination that both client and server support based on the server-side notes.ini setting. For more information, see the topic PORT_ENC_ADV. (Note that PORT_ENC_ADV=0 is a valid setting that results in the disablement of all modern algorithms.)

We recommend enabling LOG_AUTHENTICATION=1 so you can see which algorithms are being used to authenticate and encrypt your NRPC traffic.