Home
What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
What's New in 14.0?
HCL Domino 14.0 introduces the following new features and enhancements.
Enhancements related to security features
HCL Domino 14.0 provides the following enhancements related to security features.
HTTP Bearer authentication replacements
HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.

What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
- What's new in 14.0 Fixpack 1?
- What's New in 14.0?
  HCL Domino 14.0 introduces the following new features and enhancements.
  - Enhancements related to security features
    HCL Domino 14.0 provides the following enhancements related to security features.
    - Updated default TLS ciphers
      Domino 14 has updated the default TLS ciphers to include only ciphers with PFS, AEAD, and SHA-2 according to current security best practices.
    - Security policy for ID file encryption
      In Domino 14.0, you can set a policy to upgrade the algorithm used to encrypt the ID file to AES-128 with SHA-256, or AES-256 with SHA-512, when changing the password.
    - Global OpenID Connect (OIDC) enhancements
      In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.
    - Web user login with OIDC enhancements
      HCL Domino 14.0 provides the following web user login with OIDC enhancements.
    - HTTP Bearer authentication replacements
      HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.
    - Enhanced OpenID Connect 1.0 (OIDC) provider support
      Domino 14.0 improves our support for Microsoft's less-than-standard OIDC providers.
    - SHA256 support for Internet password in Domino directory
      With Domino 14.0, users' password hashes will now be updated to SHA256 when they change their Internet passwords in the Person Document.
    - New Passkey authentication
      HCL Domino 14.0 introduces authentication with passkey via the WebAuthn/FIDO2 protocol.
    - Third-party access token validation
      There is a new API that is exposed in the SDK for 14.0. This would be usable from any server process, and would leverage the trusted OIDC providers configured in idpcat.nsf to validate access tokens.
    - Document and email encryption capabilities
      HCL Domino 14.0 provides the following person document/email encryption capabilities.
    - Cluster-safe, sprayable, single-server session cookies (DomAuthSessId)
      When enabled by setting the new notes.ini DominoSessionCookieUniqueNames=1 the name of the DomAuthSessId cookie becomes DomAuthSessIdABCDEFGHIJK, where ABCDEFGHIJK is the first 11 characters of Base64url [SHA256 (Domino server DN)]. This causes multiple Domino servers that are all serving the same internet site to choose unique cookie names instead of overwriting each other's cookies.
    - New version of OpenSSL
      HCL Domino provides a new OpenSSL version.
    - ID file login prevention
      Notes 14.0 provides the following enhancement for Notes Federated Login.
  - New AdminCentral app
    The AdminCentral application (admincentral.nsf) is automatically created by adminP on the Domino administration server. You can open AdminCentral directly from your Notes Standard or Nomad web client, without the need to start Domino Administrator.
  - AutoUpdate for software download and distribution
    This new feature notifies you of the latest Domino and Domino product family available on the Domino server. You can use AutoUpdate to download selected software from the My HCLSoftware portal and have it distributed to groups or selected Domino servers.
  - One-touch setup enhancements
    HCL Domino 14.0 includes Domino one-touch setup enhancements.
  - Domino installation inclusions
    Domino installation now includes HCL Verse, HCL Nomad server on Domino, and OnTime Group Calendar.
  - Windows installer updates
    Domino install no longer supports the notes.ini in the executable directory on Windows.
  - Auto-notifications for the latest product versions
    This opt-in feature makes administrators aware of the latest version available for Domino and Domino companion products.
  - Upgrade to HCL Notes 64-bit using AutoUpdate
    Starting with Domino 14.0, only 64-bit Notes clients are supported. Users upgrading servers from Domino 12.0.2 (or earlier) to 14.0 with a 32-bit client will need to upgrade to the 64-bit version. If a user is already running a 64-bit client, administrators can set up Auto Update (AUT) to support the upgrade anyway.
  - External email notifications
    Administrators can now have text added to the top of all incoming email sent by users outside your domains. This message might be used to remind your users to use caution and avoid clicking links or opening file attachments in messages that haven't originated from within your environment.
  - Enabled policy for delayed mail delivery
    In Notes mail, the Send Later button is easy for users to discover, and the Domino policy that allows Notes users to see that option is now enabled by default.
  - Disable LotusScript Debugger in HCL Notes
    You can set a desktop policy to disable the LotusScript Debugger in your Notes client.
  - Files tab supports database encryption
    Previously, an administrator could only change the encryption status of a single database. Now, by using the Files panel of the Administration client, an admin can select multiple databases and change their encryption settings. An admin can also see the current encryption state and strength for all databases.
  - DAOS repair in a Domino cluster
    With the DAOSmgr Repair Tell command, Domino administrators can scan the DAOS catalog for objects marked as missing during DAOS resynchronization and attempt to repair them from the server's cluster mates.
  - Domino Restyle enhancements
    Domino Restyle updates an application's UI elements with a color-coordinated, cleaner look and feel. The following enhancements are supported by Notes 14.
  - Other updates
    Domino 14.0 also includes the following updates.
- Components no longer included in this release
  The following components are no longer included in Domino 14.

HTTP Bearer authentication replacements

HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.

Select Enable Microsoft Workarounds in idpcat.nsf when configuring bearer authentication with Azure AD or ADFS 2019. These OIDC providers do not follow the standard as closely as most other providers, so special workarounds are needed in order to support then. This replaces the HTTP_BEARER_ENABLE_MS_WORKAROUNDS notes.ini from 12.0.2 FP1, which has been removed.

When using a provider that sends the user's email or name in a Claim that is not named "email," set the Custom Email Claim Name field to the name of that custom claim. This replaces the HTTP_CUSTOM_EMAIL_CLAIM_NAME notes.ini from 12.0.2, which has been removed.

By default, the Domino HTTP server expects to receive an "aud" (audience) Claim containing the base resource being accessed, such as https://dominoserver.example.com. If your provider sends a nonstandard value in the audience claim, such as Azure AD, configure one or more alternative audience values in the Alternate Audiences field. This replaces the HTTP_BEARER_ALTERNATE_AUD_COUNT and HTTP_BEARER_ALTERNATE_AUD_X notes.ini variables which have been removed.

Administrators who wish to restrict bearer authentication to specific applications by client_id sent in the "azp" Claim can configure one or more client_id values in the Allowed Client IDs field. This replaces the HTTP_BEARER_ALLOWED_ID_COUNT and HTTP_BEARER_ALLOWED_ID_X notes.ini variables from 12.0.2, which have been removed.

The DEBUG_HTTP_BEARER_AUTH notes.ini still exists and works as it did in 12.0.2.

For more information, see Configuring HTTP Bearer authentication using an OIDC provider.