Deploying DAOS and ID Vault


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Deploying DAOS and ID Vault

  1. 1. MWLUG Conference 2009 IBM Center Chicago, IL August 27-28, 2009 Empowering the Lotus Community
  2. 2. Deploying DAOS and ID Vault Luis Guirigay [email_address] Twitter: lguiriga Session: IN107
  3. 3. Agenda <ul><li>Who am I ? </li></ul><ul><li>Introduction to DAOS </li></ul><ul><li>DAOS Estimator Tool </li></ul><ul><li>Configuring DAOS </li></ul><ul><li>Best Practices </li></ul><ul><li>Introduction to ID Vault </li></ul><ul><li>Configuring ID Vault </li></ul>
  4. 4. Who am I <ul><li>Senior IT Specialist at PSC Group, LLC </li></ul><ul><li>Involved in Lotus Technologies since 1998 </li></ul><ul><li>Co-Author of multiple IBM Redbooks (Domino 7 for i5/OS, Workplace Collaboration Services, DB2 for i5/OS and Lotus Workflow) </li></ul><ul><li>IBM Certified Administrator and Developer in 5, 6, 7, 8 and 8.5 </li></ul><ul><li>IBM Certified Administrator in Sametime 7.5 and 8 </li></ul><ul><li>IBM Certified Administrator in WebSphere Portal 6.0 and 6.1 </li></ul><ul><li>IBM Certified Administrator in Lotus Connections 2.0.x </li></ul><ul><li>IBM Certified Developer in Lotus Workflow </li></ul><ul><li>Find me at: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Twitter = lguiriga </li></ul></ul>
  5. 5. DAOS
  6. 6. Introduction to DAOS - Domino Attachment and Object Service <ul><li>It is not “Shared Mail” (Shared Mail developers are doing something else) </li></ul><ul><li>Will keep only one instance of each attachment – unless: </li></ul><ul><ul><li>Message is encrypted </li></ul></ul><ul><li>It is a Server feature – Local Replicas will get all attachments </li></ul><ul><li>Cluster is supported but each server handles DAOS independently </li></ul><ul><li>DAOSCatalog.nsf keeps all relationships information </li></ul><ul><li>DAOS is configured per server (Not per Domain) </li></ul><ul><li>DAOS is green: less data = less storage/space needed = more savings </li></ul><ul><li>Attachments are now stored as encrypted .NLO files (by default) </li></ul><ul><li>Transparent to end users and applications </li></ul><ul><li>It requires Transaction Logging (TXN) - (That’s ok, TXN is cool) </li></ul><ul><ul><li>Follow Transaction Logging Best Practices </li></ul></ul><ul><ul><li> </li></ul></ul>
  7. 7. Introduction to DAOS - Domino Attachment and Object Service
  8. 8. Introduction to DAOS - Domino Attachment and Object Service
  9. 9. DAOS Benefits <ul><li>Disk space savings </li></ul><ul><ul><li>Also keep in mind Design and Data compression </li></ul></ul><ul><li>Backup times </li></ul><ul><li>Mail routing optimization when attachments are involved </li></ul><ul><li>Database compact will run faster since file size is reduced </li></ul><ul><li>I/O Transactions are reduced </li></ul><ul><li>Reducing view rebuild times </li></ul><ul><li>DAOS files can be located at: </li></ul><ul><ul><li>Network drive </li></ul></ul><ul><ul><li>SAN/NAS </li></ul></ul><ul><ul><li>Local drive </li></ul></ul>
  10. 10. DAOS Estimator Tool <ul><li>Free </li></ul><ul><li>Will tell you how much space you will save before upgrading </li></ul><ul><li>Tested on Domino 6.x and later (but it can run on Domino 5) </li></ul><ul><li>Output: </li></ul><ul><li>Get it here – IBM Technote #4021920 </li></ul><ul><ul><li> </li></ul></ul>
  11. 11. Configuring DAOS
  12. 12. Configuring DAOS <ul><li>DAOS disabled by default </li></ul><ul><li>Remember to apply Fix Pack 1 </li></ul>
  13. 13. Enabling DAOS <ul><li>Go to Server Document > DAOS </li></ul><ul><li>Change it to Enabled </li></ul>
  14. 14. Enabling DAOS <ul><li>Set the minimum size based on the OS bytes per cluster and number of attachments to be created. Example = 64 KB </li></ul><ul><li>Specify DAOS base Path </li></ul><ul><li>Set Defer Object Deletion (Number of days DAOS will wait to delete the NLO file after the last message pointing to it has been deleted) </li></ul><ul><li>Save and Close </li></ul><ul><li>Restart server </li></ul>
  15. 15. Configuring DAOS <ul><li>Sh Server – TXN and DAOS must be enabled </li></ul>
  16. 16. Upgrade to ODS 51 <ul><li>DAOS requires ODS 51 </li></ul><ul><li>Add CREATE_R85_DATABASES=1 to server’s notes.ini </li></ul><ul><li>Update to ODS 51 using Load compact –c </li></ul><ul><li>ODS 51 will also compress the notes database </li></ul><ul><li>- Mail file reduction when upgraded to ODS 51 = 27 MB vs 12 MB </li></ul>
  17. 17. DAOSify Applications and Templates <ul><li>Use: </li></ul><ul><ul><li>Load compact <folder/apps> -c –daos on </li></ul></ul><ul><ul><ul><li>Or </li></ul></ul></ul><ul><ul><li>Check application property </li></ul></ul><ul><ul><li>load compact <folder/apps> -c </li></ul></ul><ul><li>Enable DAOS at least for Mailxx.ntf </li></ul><ul><li>and Mailbox.ntf (So you don't need to enable it </li></ul><ul><li>again and again and again....) </li></ul>
  18. 18. Looking at the space savings <ul><li>After sending 2 emails – 5 MB and 30 MB </li></ul><ul><li>LZ1 Compression is also used when creating the NLO files </li></ul>
  19. 19. More DAOS Information <ul><li>How many attachments were moved to DAOS </li></ul><ul><li>Total size of attachment moved to DAOS </li></ul><ul><li>This is a production Mail file.. </li></ul>
  20. 20. Disabling DAOS <ul><li>If DAOS is disabled only at the server document </li></ul><ul><ul><li>Old messages will stay in the DAOS folder </li></ul></ul><ul><ul><li>New messages will be stored in the DB </li></ul></ul><ul><li>To Disable DAOS at the application level </li></ul><ul><ul><li>load compact <folder/app> -c –daos off </li></ul></ul><ul><ul><li>It will restore the attachments to the application, and if the attachment is not longer used by anyone else, it will be deleted based on the “Defer Object Deletion for” setting </li></ul></ul>
  21. 21. DAOS – Best Practices <ul><li>Backup Mail folder(s) first if backup is performed while server is running (Very Important !!!!) </li></ul><ul><li>Enabling DAOS on the will improve DAOS processing time </li></ul><ul><li>Enable DAOS on required Templates (Mailbox.ntf, Mailxx.ntf, etc…) </li></ul><ul><li>Do not enable DAOS to the Mail Journal </li></ul><ul><li>DAOS encryption represents up to 5% cpu utilization. Evaluate if needs to be disable (don’t worry too much about this) </li></ul><ul><li>Evaluate location of DAOS Folder based on: </li></ul><ul><ul><li>I/O costs </li></ul></ul><ul><ul><li>Storage Capacity </li></ul></ul>
  22. 22. DAOS – Best Practices <ul><li>Do not play with the DAOS folder (It’s not a toy) </li></ul><ul><ul><li>Don’t move files </li></ul></ul><ul><ul><li>Don’t delete files </li></ul></ul><ul><ul><li>Let DAOS to handle NLO files </li></ul></ul><ul><li>Notes/Domino Best Practices: Transaction Logging (# 7009309) </li></ul><ul><li>Using the Lotus Domino Attachment and Object Service Estimator tool (# 7014980 ) </li></ul><ul><li>DAOS Backup and Restore (# 1358548) </li></ul>
  23. 23. DAOS – Best Practices <ul><li>Minimum size limit based on your system's disk block </li></ul><ul><li>fsutil fsinfo ntfsinfo <drive> </li></ul><ul><li>DAOS Estimator tool can help you to define minimum value </li></ul>
  24. 25. ID Vault <ul><li>It is an optional feature that automates the most important ID related operations </li></ul><ul><ul><li>Synchronize passwords across multiple copies </li></ul></ul><ul><ul><li>Upload a copy of the user ID to the ID Vault </li></ul></ul><ul><ul><li>Allows to reset a password from the Admin client </li></ul></ul><ul><ul><li>Use method ResetUserPassword to create self-service applications </li></ul></ul><ul><ul><li>Automates Key rollovers </li></ul></ul><ul><ul><li>Automates user renames </li></ul></ul><ul><ul><li>Allows to restore IDs in case of lost or corruption </li></ul></ul><ul><ul><li>No need to have the ID when installing a new Notes client </li></ul></ul><ul><ul><li>Audit role – allows to download a copy of the ID for auditing purposes. </li></ul></ul><ul><ul><ul><li>SECURE_DISABLE_AUDITOR=1 to disable it </li></ul></ul></ul>
  25. 26. ID Vault Requirements <ul><li>Servers hosting the Vaults or involved in the process must be 8.5 </li></ul><ul><li>Clients must be 8.5 </li></ul><ul><li>New Security view in both server and client’s log.nsf </li></ul><ul><li>Multiple Domino Domains are not supported </li></ul><ul><ul><li>But Multiple Organizations within the same domino domain are </li></ul></ul>
  26. 27. Configuring ID Vault
  27. 28. Configuring ID Vault <ul><li>Read carefully and click Next </li></ul>
  28. 29. Configuring ID Vault <ul><li>Enter the ID Vault’s name and some descriptive information. Click Next </li></ul><ul><ul><li>Remember.. You can create multiple ID Vaults </li></ul></ul><ul><ul><li>The description will become the DB tittle </li></ul></ul><ul><ul><li>Don’t name the ID vault as the Org, Domain, OU </li></ul></ul>
  29. 30. Configuring ID Vault <ul><li>Enter a password and confirm it. Click Next. </li></ul><ul><ul><li>Optional: Set the ID Vault‘s id location (Yes.. You need to worry about a new ID) </li></ul></ul><ul><ul><li>Do not forget this password !!! </li></ul></ul>
  30. 31. Configuring ID Vault <ul><li>Select your primary ID Vault server. Click Next </li></ul><ul><li>You can add replicas of the ID Vault to other servers later </li></ul><ul><li>Important !!!! ID Vaults replicas cannot be created using standard “Create Replica” process – You must use ID Vault > Manage ID Vault Replicas </li></ul>
  31. 32. Configuring ID Vault <ul><li>Select the ID Vault administrators </li></ul>
  32. 33. Configuring ID Vault <ul><li>Select the Organizations or OUs that should be part of this ID Vault </li></ul>
  33. 34. Configuring ID Vault <ul><li>Add the users authorized to reset passwords </li></ul><ul><li>Users/Servers with the “Password reset agent authority” will be able to sign agents that can reset passwords. </li></ul>
  34. 35. Configuring ID Vault <ul><li>Select “Create a new policy assigned to an organization” </li></ul><ul><ul><li>It will create an organizational policy </li></ul></ul><ul><ul><li>There are multiple options here…. Be my guest ! </li></ul></ul>
  35. 36. Configuring ID Vault <ul><li>Select the Org to which this policy will be assigned. </li></ul>
  36. 37. Configuring ID Vault <ul><li>Enter some information to help the user contacting the right team or anything that may help. </li></ul><ul><li>This field supports html </li></ul>
  37. 38. ID Vault <ul><li>Review all the details and click Create Vault. </li></ul><ul><li>You will be asked for one or more Cert Ids (based on the Org applied to the ID Vault) </li></ul>
  38. 39. ID Vault <ul><li>Cool !!!! We have created our first ID Vault </li></ul>
  39. 40. ID Vault <ul><li>Let’s see our new Policy </li></ul>
  40. 41. ID Vault <ul><li>and our ID Vault </li></ul>
  41. 42. ID Vault – Best Practices <ul><li>Here is our first user’s id uploaded to the Vault. </li></ul><ul><li>It may take some time to upload the ID (the first time) </li></ul><ul><li>ID File is encrypted </li></ul>
  42. 43. Administering ID Vault
  43. 44. ID Vault
  44. 45. Questions ??