Deploying DAOS and ID Vault

MWLUG Conference 2009

IBM CenterChicago, IL August 27-28, 2009

Empowering the Lotus Community

Deploying DAOS and ID Vault

Luis Guirigay

[email protected]

http://lguiriga.blogspot.com

Twitter: lguiriga

Session: IN107

mailto:[email protected]

http://lguiriga.blogspot.com/

Agenda

• Who am I ?

• Introduction to DAOS

• DAOS Estimator Tool

• Configuring DAOS

• Best Practices

•Introduction to ID Vault

• Configuring ID Vault

Who am I

• Senior IT Specialist at PSC Group, LLC

• Involved in Lotus Technologies since 1998

• Co-Author of multiple IBM Redbooks (Domino 7 for i5/OS, Workplace

Collaboration Services, DB2 for i5/OS and Lotus Workflow)

• IBM Certified Administrator and Developer in 5, 6, 7, 8 and 8.5

• IBM Certified Administrator in Sametime 7.5 and 8

• IBM Certified Administrator in WebSphere Portal 6.0 and 6.1

• IBM Certified Administrator in Lotus Connections 2.0.x

• IBM Certified Developer in Lotus Workflow

• Find me at:

• http://lguiriga.blogspot.com

• Twitter = lguiriga

Introduction to DAOS - Domino Attachment and Object Service

• It is not “Shared Mail” (Shared Mail developers are doing something

else)

• Will keep only one instance of each attachment – unless:

• Message is encrypted

• It is a Server feature – Local Replicas will get all attachments

• Cluster is supported but each server handles DAOS independently

• DAOSCatalog.nsf keeps all relationships information

• DAOS is configured per server (Not per Domain)

• DAOS is green: less data = less storage/space needed = more savings

• Attachments are now stored as encrypted .NLO files (by default)

• Transparent to end users and applications

• It requires Transaction Logging (TXN) - (That’s ok, TXN is cool)

• Follow Transaction Logging Best Practices

http://www-01.ibm.com/support/docview.wss?rs=203&uid=swg27009309

Introduction to DAOS - Domino Attachment and Object Service

DAOS Benefits

• Disk space savings• Also keep in mind Design and Data compression

• Backup times

• Mail routing optimization when attachments are involved

• Database compact will run faster since file size is reduced

• I/O Transactions are reduced

• Reducing view rebuild times

• DAOS files can be located at:

• Network drive

• SAN/NAS

• Local drive

DAOS Estimator Tool

• Free

• Will tell you how much space you will save before upgrading

• Tested on Domino 6.x and later (but it can run on Domino 5)

• Output:

• Get it here – IBM Technote #4021920

http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg24021920

Configuring DAOS

Configuring DAOS

• DAOS disabled by default

• Remember to apply Fix Pack 1

Enabling DAOS

• Go to Server Document > DAOS

• Change it to Enabled

Enabling DAOS

• Set the minimum size based on the OS bytes per cluster and number

of attachments to be created. Example = 64 KB

• Specify DAOS base Path

• Set Defer Object Deletion (Number of days DAOS will wait to delete

the NLO file after the last message pointing to it has been deleted)

• Save and Close

• Restart server

Configuring DAOS

• Sh Server – TXN and DAOS must be enabled

Upgrade to ODS 51

• DAOS requires ODS 51

• Add CREATE_R85_DATABASES=1 to server’s notes.ini

• Update to ODS 51 using Load compact –c

• ODS 51 will also compress the notes database

- Mail file reduction when upgraded to ODS 51 = 27 MB vs 12 MB

DAOSify Applications and Templates

• Use:

•Load compact <folder/apps> -c –daos on

Or

• Check application property

• load compact <folder/apps> -c

• Enable DAOS at least for Mailxx.ntf

and Mailbox.ntf (So you don't need to enable it

again and again and again....)

Looking at the space savings

• After sending 2 emails – 5 MB and 30 MB

• LZ1 Compression is also used when creating the NLO files

More DAOS Information

• How many attachments were moved to DAOS

• Total size of attachment moved to DAOS

• This is a production Mail file..

Disabling DAOS

• If DAOS is disabled only at the server document

• Old messages will stay in the DAOS folder

• New messages will be stored in the DB

• To Disable DAOS at the application level

load compact <folder/app> -c –daos off

It will restore the attachments to the application, and if the

attachment is not longer used by anyone else, it will be deleted

based on the “Defer Object Deletion for” setting

DAOS – Best Practices

• Backup Mail folder(s) first if backup is performed while server is

running (Very Important !!!!)

• Enabling DAOS on the Mail.box(es) will improve DAOS

processing time

• Enable DAOS on required Templates (Mailbox.ntf, Mailxx.ntf,

etc…)

• Do not enable DAOS to the Mail Journal

• DAOS encryption represents up to 5% cpu utilization. Evaluate

if needs to be disable (don’t worry too much about this)

• Evaluate location of DAOS Folder based on:

• I/O costs

• Storage Capacity


• Do not play with the DAOS folder (It’s not a toy)

• Don’t move files

• Don’t delete files

• Let DAOS to handle NLO files

• Notes/Domino Best Practices: Transaction Logging (# 7009309)

• Using the Lotus Domino Attachment and Object Service

Estimator tool (# 7014980 )

• DAOS Backup and Restore (# 1358548)


• Minimum size limit based on your system's disk block

fsutil fsinfo ntfsinfo <drive>

• DAOS Estimator tool can help you to define minimum value

ID Vault

• It is an optional feature that automates the most important ID related

operations

• Synchronize passwords across multiple copies

• Upload a copy of the user ID to the ID Vault

• Allows to reset a password from the Admin client

• Use method ResetUserPassword to create self-service applications

• Automates Key rollovers

• Automates user renames

• Allows to restore IDs in case of lost or corruption

• No need to have the ID when installing a new Notes client

• Audit role – allows to download a copy of the ID for auditing

purposes.

SECURE_DISABLE_AUDITOR=1 to disable it

ID Vault Requirements

• Servers hosting the Vaults or involved in the process must be 8.5

• Clients must be 8.5

• New Security view in both server and client’s log.nsf

• Multiple Domino Domains are not supported

• But Multiple Organizations within the same domino domain are

Configuring ID Vault


• Read carefully and click Next


• Enter the ID Vault’s name and some descriptive information. Click Next

• Remember.. You can create multiple ID Vaults

• The description will become the DB tittle

• Don’t name the ID vault as the Org, Domain, OU


• Enter a password and confirm it. Click Next.

• Optional: Set the ID Vault‘s id location (Yes.. You need to worry

about a new ID)

• Do not forget this password !!!


• Select your primary ID Vault server. Click Next

• You can add replicas of the ID Vault to other servers later

Important !!!! ID Vaults replicas cannot be created using standard

“Create Replica” process – You must use ID Vault > Manage ID Vault

Replicas


• Select the ID Vault administrators


• Select the Organizations or OUs that should be part of this ID Vault


• Add the users authorized to reset passwords

• Users/Servers with the “Password reset agent authority” will be able to

sign agents that can reset passwords.


• Select “Create a new policy assigned to an organization”

• It will create an organizational policy

• There are multiple options here…. Be my guest !


• Select the Org to which this policy will be assigned.


• Enter some information to help the user contacting the right team or

anything that may help.

• This field supports html

ID Vault

• Review all the details and click Create Vault.

• You will be asked for one or more Cert Ids (based on the Org applied to

the ID Vault)

ID Vault

• Cool !!!! We have created our first ID Vault

ID Vault

• Let’s see our new Policy

ID Vault

• and our ID Vault

ID Vault – Best Practices

• Here is our first user’s id uploaded to the Vault.

• It may take some time to upload the ID (the first time)

• ID File is encrypted

Administering ID Vault

ID Vault

•

Questions ??

Deploying DAOS and ID Vault

Technology

Transcript of Deploying DAOS and ID Vault