We’re excited to announce today that a new and improved installation process for Teamstudio NotesTools is coming at the beginning of July. We listened to your feedback and understand the frustrations you’ve had with the widgets. This new installation process leaves them behind for a Windows installer-based solution that’s easy, straightforward, and secure. There were complex technical challenges to navigate in order to create a better installation process. These challenges led us to take a completely different approach to solving this problem. In this blog post, we’ll describe some of these challenges and detail technical aspects of the new installation process coming next month.
Challenge 1: IBM Notes runs on top of the Eclipse Rich Client Platform.
The first challenge we faced when creating a new installer deals with the Eclipse Rich Client Platform (RCP). The Eclipse RCP is essentially the Java framework used to create the Eclipse Integrated Development Environment (IDE) with some extra bits thrown in to help customise the RCP. This extensibility creates a couple issues in the Microsoft Windows environment, which we’ll explore later in this article.
Developers can create plugins to add to the Eclipse RCP. Notes disables easy ways of installing plugins, but does provide widgets as an alternative. There’s also a command line interface to allow us to provision widgets into the Notes client. Our NotesTools also need to deploy DLLs, which our old Notes .nsf installer used to do. Running Notes as an administrator and using this install method probably still works for most instances of getting the DLLs to the right place. However, installing both plugins and DLLs together is hard and neither the restrictions from Windows nor the Notes client help.
Challenge 2: The Microsoft Windows security model keeps changing and adding new restrictions.
Because Microsoft Windows is the most prevalent OS in the marketplace, it’s a target for hackers and virus creators. To combat this, Microsoft has to keep increasing security measures to restrict access to anything that might cause damage. These measures keep getting more stringent, so developers have to adapt to maintain their ability to comply with the new restrictions.
Challenge 3: Since Java coded programs run in a Java Virtual Machine (JVM), it can create a security hole if you give that JVM access to anything outside of its own virtual environment.
Windows itself imposes some extremely stringent security around what a JVM can and can’t do since the Windows environment and its file system are outside of the JVM. Writing files to certain directories without administrator privileges becomes a real challenge at this point because Windows wants to stop the installer from doing it.
Depending on whether you have your Notes client installed in “Program Files” or C:\Notes, the installer may have to jump through security hoops to write anything to your Notes program directory while installing NotesTools.
Challenge 4: Running Notes as an administrator doesn’t always give you the rights you need, either.
In Notes, the Execution Control List (ECL) has protected us from malicious code for a long while. The ECL allows the user to specify which Notes ID can do various things to the system or environment, e.g write to the local file system, change program settings, and the like.
We’re used to this in Notes. This is one of the reasons Notes is very good at not being affected by malware or malicious code deployments. Domino administrators can also restrict, via desktop policy, Notes clients’ ability to install widgets. This has caused serious headaches when trying to install NotesTools since they’ve been primarily deployed as widgets.
Challenge 5: Virus checkers tend to quarantine DLLs.
With our previous installation method, some virus checking software would quarantine some of our files while we were provisioning the plugins into Eclipse. This happens because the DLLs are seen as a threat since they contain executable code. Although this doesn’t occur with all virus checkers, control of what the virus checker quarantines is mostly out of the control of the user who’s installing the NotesTools.
The Installation Process for NotesTools Version 31 and Prior
In previous versions of NotesTools, given that widgets were the approved way of installing plugins, the approach we took was to use widgets to install our plugins and then have those plugins install our DLLs and update notes.ini. As Windows security has gotten tighter, this approach fails because:
- Sometimes you can’t drag and drop the widgets,
- The plugins are no longer able to install DLLs to the Notes program directory,
- The code that updates notes.ini runs in a Java sandbox that can’t access Notes properties during the plugin install, so it doesn’t always find the right notes.ini.
It’s possible for most people to work around these limitations, but it involves running both a specific browser and Notes with admin privileges, which many people are rightfully uncomfortable about. Even then, Notes can be very picky about allowing widgets to be dragged. Some of our customers have blanket policies that prohibit them from installing any widgets.
The Installation Process for NotesTools Version 32
Given all the problems we’ve had with widgets, we’re abandoning that approach in favour of a Windows installer-based solution that runs outside of Notes and uses command-line provisioning to install plugins. We’re also now installing our DLLs outside the Notes program directory. They’re still going in program files and you still need admin access, but the Windows installer is designed to do that. It also works with the Windows User Access Control System to allow the installer to complete. The main reason for putting the files outside of the Notes program directory is to help customers who have shared Notes installs and can't have individual users writing to that directory. Every install will now write only to program files (x86)\Teamstudio and to a user’s own data directory and notes.ini.
To resolve challenge five listed in this post, the installer package will now be signed with a trusted certificate. The installer framework, which we use to build the installer package, also signs each one of the files contained within the installer package. When you trust the install on Windows, you’re telling the system to trust that certificate and therefore trust all the files contained in it. The virus checker then trusts them too, resulting in a successful install.
You’ll first see this new installation process in NotesTools Version 32 being released next month. There will be a single installer for all our client-based tools: Analyzer, CIAO! client, Configurator, Delta, Design Manager, Profiler, Undo, and Validator. We’ll notify you when Version 32 is available.
-Mark Dixon, Teamstudio