What's new in Early Access drop 5?

HCL Domino 12.0.2 Early Access Program drop 5 provides these new features and enhancements:

Enhanced Domino Container image

The Domino Docker image is based on the HCL Domino Container open source project built on top of a Redhat UBI 8.6 base. The new container supports additional functionality including enhanced run-time operations using a well known Domino on Linux start script from the community.

The HCL documentation provides information about standard functionality. Additional functionality is documented in a HCL community GitHub project ( https://opensource.hcltechsw.com/domino-container/).

The container image is supported to run on the current Docker Desktop and Server, Podman, and Kubernetes environments.

Intermediate containers are no longer required for run-time, update, or maintenance operations. Existing data volumes are automatically migrated when running with the container image.

Mail file design refresh property ON by default

In the mail application, the property "Refresh design from admin server only" is newly ON by default. Now, during user registration, the user's mail file and any replicas specified during that time has have this option turned on. This is true whether the mail file and replicas are created in the foreground (by the admin client) or the background by AdminP.

The option for an individual application can always be deselected by using the menu command File > Application > Properties and then the Design tab.

For more information on properties in user registration, see Using default settings when registering users.

Virus scanning updates (ICAP protocol)

  • Expiration of the ICAP server certificate is now enforced. If the certificate expires, virus scanning will not operate, and messages with attachments may back up in the router. Open the server document in cscancfg.nsf and check the Health status field which will indicate an error if the certificate has expired or a warning if the certificate is expiring soon. An event is also placed in ddm.nsf for either of these conditions and a message is logged to the console. You may set a configuration to accept expired certificates.
  • Console logging is improved. Messages are logged at an appropriate level, so for example, normal logging does not give detailed messages. There is a limit to how many times the same message is output. There is a unique prefix for each individual document that is scanned (such as "nmailscan: Job-3.") to make it easier to track the flow of processing for a specific document.
  • Error recovery is improved. Certain operations that fail are transparently retried until they succeed.
  • Statistics have been reorganized and simplified to give an administrator a good indication of how the feature is operating.
    Note: Virus scanning is supported on Windows and Linux only.

For more information, see Scanning message attachments for viruses.

CertMgr certificate URL health check

CertMgr now supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired.

For more information, see Certificate URL health check.


The following features are for Windows and Linux only:

Archival of legacy signing certificates

Support for legacy IDP signing certificates is added to the Domino Service Provider relying trust with the Identity Provider in the IdP catalog database.

When Domino imports a new IdP xml metadata file into an existing IdP catalog document, the new signing certificate is stored, and the previous signing certificate (if present) is saved off as an IdP Legacy Certificate.

IdP Legacy Certificates can be examined and removed from the Certificate Management tab - Examine Legacy Certificates button.

Legacy signing certificates will be used to verify SAML Response and Assertion signatures if the current IdP signing certificate fails verification.

For related information, see Creating a Web server IdP configuration document.

New version of OpenSSL

HCL Domino has upgraded from OpenSSL 1.1.1a to OpenSSL 3.0.5 on the Windows, Linux, and AIX platforms.

The OpenSSL 3.0 FIPS provider's FIPS 140-2 validation certificate has been issued. For more information see this article on the OpenSSL Blog site.

The Windows, Linux, and AIX platforms will use the FIPS provider for FIPS 140-2 approved algorithms such as SHA-1, SHA-2, 3DES, AES, 2048+ bit RSA, ECDSA, ECDHE, and EdDSA.

Domino Restyle

With Domino Restyle, you can update a Notes application's UI elements with a color-coordinated, cleaner look and feel.

With Restyle, only UI elements are updated; no code is modified. To access the Restyle option, select File > Application > Restyle for a selected application or workspace icon.

Note: Designer access to the application is required to use Restyle.

For more information, see Domino Restyle for Notes applications in the HCL Notes documentation.

View rebuild improvements

Faster building or rebuilding of views is now on by default and takes 15-35% less time in Domino 12.0.2. Now applies to all platforms.

Smart Server Startup updates

Introduced in a previous drop, the feature called Smart Server Startup prevents users from connecting to a Domino server until it is fully up and ready to accept user requests. For example, if a server crashes, Smart Server Startup allows users to connect to it only after the server has fully recovered. For updated information, see Monitoring Smart Server Startup.

Other enhancements

  • A new NOTES.INI setting allows you to configure the maximum number of tasklets that can be run in a Domino OSGI Tasklet Service (DOTS) environment. See MAX_RUNNING_DOTS_TASKLETS for more information.

  • New Java Runtime Environment with Domino and Designer 12.0.2:
    The JRE component versions are:
    • openjdk version "1.8.0_345"
    • IBM Semeru Runtime Open Edition (build 1.8.0_345-b01)
    • Eclipse OpenJ9 VM (build openj9-0.33.1, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20220817_464 (JIT enabled, AOT enabled)
    • OpenJ9 - 1d9d16830
    • OMR - b58aa2708
    • JCL - e361c66299 based on jdk8u345-b01)

    As in earlier releases, the notes.ini setting JavaEnableJIT=0 can be used to turn off the Just In Time (JIT) compiler. The JIT is on by default, as in earlier releases.