Home
Installing
Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
Planning your upgrade to Notes and Domino 12.0.2
Use this documentation to upgrade the existing Domino® server and subsequently upgrade the Notes® client to a new release. You can also upgrade additional clients such as Domino Administrator and Domino Designer clients and additional features and plug-ins such as the embedded HCL Sametime® client.
Security considerations prior to upgrading
It’s important to review your security practices before upgrading, especially if you are upgrading from an old version.
Ciphers
In Domino V12, the TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.

Installing
Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
- Installing and upgrading Domino® servers
  Perform a new or upgrade install of one or many Domino® servers.
- Installing and upgrading Notes® clients
- Planning your upgrade to Notes and Domino 12.0.2
  Use this documentation to upgrade the existing Domino® server and subsequently upgrade the Notes® client to a new release. You can also upgrade additional clients such as Domino Administrator and Domino Designer clients and additional features and plug-ins such as the embedded HCL Sametime® client.
  - Security considerations prior to upgrading
    It’s important to review your security practices before upgrading, especially if you are upgrading from an old version.
    - Notes ID passwords for web user authentication
      When enabled, this feature (introduced in V11.0.1) allows HCL Verse, HCL iNotes and other web users with Notes IDs to provide their web name and Notes ID password to authenticate to the Domino server.
    - Certificate management with CertMgr
      Domino V12 introduces a new server task, Certificate Manager (CertMgr), that works with a new database, Certificate Store (certstore.nsf) to manage TLS certificates in your Domino environment.
    - Time-based one-time password authentication (TOTP)
      Domino V12 introduces TOTP for multi-factor authentication for web users. TOTP authentication provides an extra layer of security when users authenticate to a Domino web server.
    - Ciphers
      In Domino V12, the TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.
    - SameSite cookie attribute
      Domino V12 introduces support for use of the SameSite cookie attribute to reduce the risk of cross-site request forgery (CSRF).
    - Internet password lockout based on IP address
      Domino V12 extends the internet password lockout feature.
    - Server Name Indication (SNI) Support
      Support for SNI was introduced in V11.0.1. SNI is an extension to the TLS protocol.
    - Cross Origin Resource Sharing (CORS)
      This feature was introduced in V10.0.1 and allows a web application from another origin to access resources on the Domino web server.
    - Improved DAOS object encryption
      Beginning with Domino V12, you can create a shared key that multiple servers that are enabled for DAOS can use to encrypt objects.
    - NRPC port encryption enhancement
      In Domino V12, support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.w ikipedia.org/wiki/Curve25519) has been added to NRPC port encryption.
    - Notes IDs
      The minimum key size for newly registered Notes IDs was increased to 1024 bits in V11.0.1 and the default key size for newly registered Notes IDs was increased to 2048 bits in V12.0.
    - Maintaining ID file synchronization with the ID vault
      When passwords on Notes client IDs become different from the passwords on the IDs in the ID vault, synchronization of ID information between clients and the ID vault stops.
    - SAML and federated login
      Notes and Web Federated Login is a feature that has been around for a long time, however it has had great improvements in both versions 10 and 11.
    - OIDC and federated login
    - IBM® GSKit cryptographic libraries replaced with the OpenSSL equivalents
      Starting with V11.0, on all HCL Notes® and Domino® platforms, OpenSSL 1.1.1a cryptographic libraries replace the IBM® GSKit libraries provided in earlier releases.
    - Database encryption
      Starting with V11.0.1, Domino supports encrypting databases with AES 128-bit encryption.
    - Whitelist Active Content Filter (ACF) for iNotes and Verse
      Starting with V10.0.1, an ACF can be used to remove potentially harmful active content from HTML messages such as JavaScript™, Java™, and ActiveX.
  - Preparing your environment for the upgrade
    Time spent doing a thorough evaluation of your environment prior to upgrading is time well spent. Capturing baselines of your existing server infrastructure allows you to compare how the upgraded environment is performing.
  - Planning the deployment of the new release
    Depending on the size of your organization and the number of Domino servers involved, an organization upgrade schedule may range from a few hours to a few weeks or months.
  - Upgrading a Domino server
    Before upgrading a Domino server, review the upgrade considerations and choose the upgrade option to use.
  - Upgrading post-V11 AD Password Sync to V12.0.2 or later
    Upgrade Domino AD Password Sync installations that use Domino 12.0 or 12.0.1 to Domino 12.0.2 in order to use the new "AD Password Sync" server install type available in 12.0.2 and later.
  - Planning the deployment of a new version of Notes
    Understand the things to consider and actions to take before installing a new version of HCL Notes.

Ciphers

In Domino V12, the TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.

These offer better performance and space efficiency than the equivalent NIST Prime curves and are simpler to implement in an error-free fashion. For more information, see the topic Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy.

In addition, a Domino V12 server configured to use an ECDSA keyring file ECDSA credentials via CertMgr or kyrtool supports the following two TLS 1.2 cipher suites, which are supported by most current browsers and devices:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

Note: If you are upgrading from V9.0.1, carefully evaluate your cipher settings. If you currently use the notes.ini setting SSLCipherSpec, after you upgrade to V12, these settings are moved to the server document or Internet Sites document (depending on configuration). SSLCipherSpec notes.ini setting is ignored.

Review the list of ciphers that were deprecated in V11 and their impact on server configuration, see the article Deprecated Ciphers in Domino 11 on the Support site.