Notes.ini Entry


Name:
    DAOS_Resync_Validate_NLO_Files

Syntax
    DAOS_Resync_Validate_NLO_Files=0 / 1

Applies to:
    Servers

Add-on:

    First Release:
      8.5.x

    Obsolete since:
      10.0.2

    Category:
      DAOS

    Default:
      Off (0)

    UI equivalent:
      None

    Description:
    To enable validation of NLO files, specify the value of the following notes.ini setting as indicated. After you change the value of the setting, a server restart is NOT required to put the change into effect.

    Valid Options are
    1 to enable validation.
    0 Off (The default).

    After you enable the DAOS_RESYNC_VALIDATE_NLO_FILES setting, issue one of the following commands from the Domino console:

    If the DAOS catalog is not already synchronized, use the command daosmgr resync

    For example, from the command line for your operating system, type daosmgr resync
    Or, from the Domino console, type tell daosmgr resync
    If the DAOS catalog is already in a Synchronized state, use the command daosmgr resync force

    For example, from the command line for your operating system, type daosmgr resync force
    Or, from the Domino console, type tell daosmgr resync force

    Problem
    Errors result if you move NLO files from the originating server to another server and then attempt to read the data. NLO files are encrypted using the server.id file, and cannot be by read if they are moved from the original server.

    Symptom
    During attempts to access NLO data that was moved from the original server, the following error occurs: 0x171C "Specified private key does not exist"

    Cause
    The NLO data is encrypted with the server.id file of the originating server.


    Messages are generated for any NLO that does not pass validation. The validation process attempts to read the NLO files and reports on any files that cannot be read. The process also checks for structural errors in the NLO file, and verifies that the NLO file either is unencrypted, or that it is encrypted and can be decrypted using the current server.id encryption key. The validation process is a read-only operation. No NLO data is modified during the process.

    Messages are generated via xprintf to the console and via DAOS_LOGGING with the RESYNC keyword.
    The best practice is to run the daosmgr resync command from the command line and redirect the messages from the standard output to a file.

    When you enable DAOS_RESYNC_VALIDATE_NLO_FILES to validate NLO files, the performance of the resync operation becomes slower. To restore normal performance, remove this INI setting or change its value to 0 after you finish using it.

    This fix adds support for the NLOENCRYPTION subcommand of the DAOS Manager command.

    Syntax:

    DAOSMGR NLOENCRYPTION [ENCRYPT | DECRYPT | VALIDATE] <path to single NLO file>|


    You can specify the following actions for the NLOENCRYPTION subcommand:

    VALIDATE- The VALIDATE option attempts to read the specified NLO files, and identifies any file that cannot be read. It checks for structural errors in the NLO file, and verifies that the NLO file is either unencrypted, or that it is encrypted and can be decrypted using the current server.id encryption key. The validation process is a read-only operation. No NLO data is modified during the process.
    ENCRYPT - The ENCRYPT option attempts to encrypt the specified NLO files using the current server.id encryption key. Depending on the encryption status of the the NLO file, one of the following operations results:
    If the NLO file is already encrypted with the current key, no action is taken.
    If the NLO file is not encrypted, it is encrypted using the current key.
    If the NLO file is encrypted with the alternate server.id key, it is re-encrypted using the current key.
    This operation modifies NLO files that are not encrypted in the way that you want.
    DECRYPT - The DECRYPT option attempts to decrypt the specified NLO files using both the current server.id file key and the alternate server.id file key. If the NLO file is not encrypted, no action is taken. This operation writes the contents of the entire NLO header and data to a new file. It is not possible to perform an in-place update. This operation modifies NLO files that are not non-encrypted.

    Usage:

    1) Before you begin, verify that you have a current backup of all NLO data.

    2) Set the following notes.ini values as appropriate. After you change the values of any of these settings, a server restart is NOT required to put the changes into effect.

    DAOS_ENCRYPTION_ALTERNATE_SERVER_ID
    Optional -Set this value to the full path and file name of an alternate server.id file to use if the current server.id file is unable to decrypt the original NLO files during decryption or encryption. This setting applies to encrypt or decrypt operations only; it is NOT used during validation. During validation operations, only the current server.id file is used.

    Limitation: This version doesn't allow use of a server id with password protection. As a workaround, decrypt them on the originating server before copying the NLO files to the destination server.

    DAOS_ENCRYPTION_REENCRYPT_IN_PLACE
    Optional - If an encryption update is required, by default, the re-encryption operation writes the data to a new NLO file with the new encryption. After the new file is created, it is swapped in for the original file, which is removed. This minimizes problems created by unexpected interruptions. This process requires writing the entire NLO header and data content to the new file.

    If the NLO file is already encrypted, the re-encryption can be attempted in-place on the existing NLO file. Because re-encrypting the file in-place requires rewriting the header of the NLO file only, the process consumes significantly less I/O than rewriting all of the data content. However, if the process is interrupted unexpectedly, for example, as the result of a power outage or disk error, there is some risk that damage can occur, because the live file is being updated.
    Under the default setting of 0, re-encryption does not occur in place. Set this variable to 1 to attempt re-encryption of NLO files without requiring a full rewrite of the data content.

    This setting applies only when changing the encryption on NLO files from an alternate server.id file to the current server.id file. Conversions that add encryption to non-encrypted NLO files, or remove encryption from encrypted NLO files are not eligible for the in-place operation. In cases where in-place re-encryption of the existing NLO file is not possible, the operation reverts to the default process of creating a new NLO file.
    3) Use one of the following three methods to specify the NLO files to process:
    Use the command with the path to an IND file to process all of the files listed in the IND file.

    For example, from the command line for your operating system, type:

    daosmgr nloencryption encrypt c:\listnlo1.ind

    Messages are generated via xprintf to the console and via DAOS_LOGGING with the RESYNC keyword.
    The best practice is to run the daosmgr nloencryption command from the command line and redirect the messages from the standard output to a file.

    All encryption and decryption operations should be coordinated with the setting of DAOS_ENCRYPT_NLO. For example, if NLO encryption is enabled, and the NLOENCRYPTION command is used to decrypt all the NLO files, any new NLO files created after that time will still be created with encryption.