Home
Installing
Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
Planning your upgrade to Notes and Domino 12.0.2
Use this documentation to upgrade the existing Domino® server and subsequently upgrade the Notes® client to a new release. You can also upgrade additional clients such as Domino Administrator and Domino Designer clients and additional features and plug-ins such as the embedded HCL Sametime® client.
Security considerations prior to upgrading
It’s important to review your security practices before upgrading, especially if you are upgrading from an old version.
Certificate management with CertMgr
Domino V12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.

Installing
Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
- Installing and upgrading Domino® servers
  Perform a new or upgrade install of one or many Domino® servers.
- Installing and upgrading Notes® clients
- Planning your upgrade to Notes and Domino 12.0.2
  Use this documentation to upgrade the existing Domino® server and subsequently upgrade the Notes® client to a new release. You can also upgrade additional clients such as Domino Administrator and Domino Designer clients and additional features and plug-ins such as the embedded HCL Sametime® client.
  - Security considerations prior to upgrading
    It’s important to review your security practices before upgrading, especially if you are upgrading from an old version.
    - Notes ID passwords for web user authentication
      When enabled, this feature (introduced in V11.0.1) allows HCL Verse, HCL iNotes and other web users with Notes IDs to provide their web name and Notes ID password to authenticate to the Domino server.
    - Certificate management with CertMgr
      Domino V12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.
    - Time-based one-time password authentication (TOTP)
      Domino V12 introduces TOTP for multi-factor authentication for web users. TOTP authentication provides an extra layer of security when users authenticate to a Domino web server.
    - Ciphers
      In Domino V12, the TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.
    - SameSite cookie attribute
      Domino V12 introduces support for use of the SameSite cookie attribute to reduce the risk of cross-site request forgery (CSRF).
    - Internet password lockout based on IP address
      Domino V12 extends the internet password lockout feature.
    - Server Name Indication (SNI) Support
      Support for SNI was introduced in V11.0.1. SNI is an extension to the TLS protocol.
    - Cross Origin Resource Sharing (CORS)
      This feature was introduced in V10.0.1 and allows a web application from another origin to access resources on the Domino web server.
    - Improved DAOS object encryption
      Beginning with Domino V12, you can create a shared key that multiple servers that are enabled for DAOS can use to encrypt objects.
    - NRPC port encryption enhancement
      In Domino V12, support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.w ikipedia.org/wiki/Curve25519) has been added to NRPC port encryption.
    - Notes IDs
      The minimum key size for newly registered Notes IDs was increased to 1024 bits in V11.0.1 and the default key size for newly registered Notes IDs was increased to 2048 bits in V12.0.
    - Maintaining ID file synchronization with the ID vault
      When passwords on Notes client IDs become different from the passwords on the IDs in the ID vault, synchronization of ID information between clients and the ID vault stops.
    - SAML and federated login
      Notes and Web Federated Login is a feature that has been around for a long time, however it has had great improvements in both versions 10 and 11.
    - OIDC and federated login
    - IBM® GSKit cryptographic libraries replaced with the OpenSSL equivalents
      Starting with V11.0, on all HCL Notes® and Domino® platforms, OpenSSL 1.1.1a cryptographic libraries replace the IBM® GSKit libraries provided in earlier releases.
    - Database encryption
      Starting with V11.0.1, Domino supports encrypting databases with AES 128-bit encryption.
    - Whitelist Active Content Filter (ACF) for iNotes and Verse
      Starting with V10.0.1, an ACF can be used to remove potentially harmful active content from HTML messages such as JavaScript™, Java™, and ActiveX.
  - Preparing your environment for the upgrade
    Time spent doing a thorough evaluation of your environment prior to upgrading is time well spent. Capturing baselines of your existing server infrastructure allows you to compare how the upgraded environment is performing.
  - Planning the deployment of the new release
    Depending on the size of your organization and the number of Domino servers involved, an organization upgrade schedule may range from a few hours to a few weeks or months.
  - Upgrading a Domino server
    Before upgrading a Domino server, review the upgrade considerations and choose the upgrade option to use.
  - Upgrading post-V11 AD Password Sync to V12.0.2 or later
    Upgrade Domino AD Password Sync installations that use Domino 12.0 or 12.0.1 to Domino 12.0.2 in order to use the new "AD Password Sync" server install type available in 12.0.2 and later.
  - Planning the deployment of a new version of Notes
    Understand the things to consider and actions to take before installing a new version of HCL Notes.

Certificate management with CertMgr

Domino V12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.

You use CertMgr and certstore.nsf to completely automate requesting, configuring, and renewing free, widely trusted TLS certificates from the Let's Encrypt® certificate authority (CA). You can also process certificate signing requests for other third-party CAs. In this case, you manually submit the generated CSR to the CA, and paste the certificates received into certstore.nsf.

Certificates generated through Certificate Manager are securely stored directly in TLS Credentials documents in certstore.nsf rather than in keyring files on disk as was done previously. To import keyring files currently stored on disk into TLS Credentials documents, see the procedure Upgrading TLS credentials.

An Internet site document still needs to have a value specified in the Key file name field when CertMgr is used. This value should typically be the server host name.

Important: If you upgrade a Web server that stores TLS certificates in keyring files on disk and don’t run CertMgr, if X.509 certificate-based client authentication is enabled on the server, after the upgrade, web users will be unable to log in. To prevent this problem, upgrade keyring files to TLS credentials.