Home
What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
What's New in 14.0?
HCL Domino 14.0 introduces the following new features and enhancements.
Enhancements related to security features
HCL Domino 14.0 provides the following enhancements related to security features.
Global OpenID Connect (OIDC) enhancements
In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.

What's new in Domino 14?
Learn about all of the new features for administrators in HCL Domino® 14.
- What's new in 14.0 Fixpack 1?
- What's New in 14.0?
  HCL Domino 14.0 introduces the following new features and enhancements.
  - Enhancements related to security features
    HCL Domino 14.0 provides the following enhancements related to security features.
    - Updated default TLS ciphers
      Domino 14 has updated the default TLS ciphers to include only ciphers with PFS, AEAD, and SHA-2 according to current security best practices.
    - Security policy for ID file encryption
      In Domino 14.0, you can set a policy to upgrade the algorithm used to encrypt the ID file to AES-128 with SHA-256, or AES-256 with SHA-512, when changing the password.
    - Global OpenID Connect (OIDC) enhancements
      In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.
    - Web user login with OIDC enhancements
      HCL Domino 14.0 provides the following web user login with OIDC enhancements.
    - HTTP Bearer authentication replacements
      HCL Domino 14.0 provides the following HTTP Bearer authentication replacements.
    - Enhanced OpenID Connect 1.0 (OIDC) provider support
      Domino 14.0 improves our support for Microsoft's less-than-standard OIDC providers.
    - SHA256 support for Internet password in Domino directory
      With Domino 14.0, users' password hashes will now be updated to SHA256 when they change their Internet passwords in the Person Document.
    - New Passkey authentication
      HCL Domino 14.0 introduces authentication with passkey via the WebAuthn/FIDO2 protocol.
    - Third-party access token validation
      There is a new API that is exposed in the SDK for 14.0. This would be usable from any server process, and would leverage the trusted OIDC providers configured in idpcat.nsf to validate access tokens.
    - Document and email encryption capabilities
      HCL Domino 14.0 provides the following person document/email encryption capabilities.
    - Cluster-safe, sprayable, single-server session cookies (DomAuthSessId)
      When enabled by setting the new notes.ini DominoSessionCookieUniqueNames=1 the name of the DomAuthSessId cookie becomes DomAuthSessIdABCDEFGHIJK, where ABCDEFGHIJK is the first 11 characters of Base64url [SHA256 (Domino server DN)]. This causes multiple Domino servers that are all serving the same internet site to choose unique cookie names instead of overwriting each other's cookies.
    - New version of OpenSSL
      HCL Domino provides a new OpenSSL version.
    - ID file login prevention
      Notes 14.0 provides the following enhancement for Notes Federated Login.
  - New AdminCentral app
    The AdminCentral application (admincentral.nsf) is automatically created by adminP on the Domino administration server. You can open AdminCentral directly from your Notes Standard or Nomad web client, without the need to start Domino Administrator.
  - AutoUpdate for software download and distribution
    This new feature notifies you of the latest Domino and Domino product family available on the Domino server. You can use AutoUpdate to download selected software from the My HCLSoftware portal and have it distributed to groups or selected Domino servers.
  - One-touch setup enhancements
    HCL Domino 14.0 includes Domino one-touch setup enhancements.
  - Domino installation inclusions
    Domino installation now includes HCL Verse, HCL Nomad server on Domino, and OnTime Group Calendar.
  - Windows installer updates
    Domino install no longer supports the notes.ini in the executable directory on Windows.
  - Auto-notifications for the latest product versions
    This opt-in feature makes administrators aware of the latest version available for Domino and Domino companion products.
  - Upgrade to HCL Notes 64-bit using AutoUpdate
    Starting with Domino 14.0, only 64-bit Notes clients are supported. Users upgrading servers from Domino 12.0.2 (or earlier) to 14.0 with a 32-bit client will need to upgrade to the 64-bit version. If a user is already running a 64-bit client, administrators can set up Auto Update (AUT) to support the upgrade anyway.
  - External email notifications
    Administrators can now have text added to the top of all incoming email sent by users outside your domains. This message might be used to remind your users to use caution and avoid clicking links or opening file attachments in messages that haven't originated from within your environment.
  - Enabled policy for delayed mail delivery
    In Notes mail, the Send Later button is easy for users to discover, and the Domino policy that allows Notes users to see that option is now enabled by default.
  - Disable LotusScript Debugger in HCL Notes
    You can set a desktop policy to disable the LotusScript Debugger in your Notes client.
  - Files tab supports database encryption
    Previously, an administrator could only change the encryption status of a single database. Now, by using the Files panel of the Administration client, an admin can select multiple databases and change their encryption settings. An admin can also see the current encryption state and strength for all databases.
  - DAOS repair in a Domino cluster
    With the DAOSmgr Repair Tell command, Domino administrators can scan the DAOS catalog for objects marked as missing during DAOS resynchronization and attempt to repair them from the server's cluster mates.
  - Domino Restyle enhancements
    Domino Restyle updates an application's UI elements with a color-coordinated, cleaner look and feel. The following enhancements are supported by Notes 14.
  - Other updates
    Domino 14.0 also includes the following updates.
- Components no longer included in this release
  The following components are no longer included in Domino 14.

Global OpenID Connect (OIDC) enhancements

In Domino 14.0, the per-process JWK Cache and JWKCacheMgrThread from 12.0.2 have been combined into a global, cross-process OIDC provider cache.

The notes.ini variables used to tune this cache have changed accordingly:

DEBUG_JWK_CACHE, DEBUG_JWK_CACHE_MGR was replaced with DEBUG_OIDC_CACHE=(1,2,3,4,5,6)
DEBUG_JWS, DEBUG_OIDC_CURL_APIS, and DEBUG_OIDC_JSON_PARSER notes.ini variables are unchanged from 12.0.2
OIDC_PROVIDER_CACHE_POLLING_INTERVAL was removed; the server task currently checks for updates every minute.
OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL has a new default of 10 minutes (600 seconds).
OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION has a new default of 30 minutes (1800 seconds).
OIDC_JWK_CACHE_PURGE_INTERVAL and OIDC_JWK_CACHE_PURGE_EXPIRED_SEC are unchanged from 12.0.2, retaining their 12 and 24 hour defaults, respectively.

The OIDC Provider document in idpcat.nsf has been expanded to include additional per-provider configuration information that was configured globally with notes.ini variables in 12.0.2. The old notes.ini variables have been removed; for details, see the section that follows this one. Tracing for this functionality can be enabled with DEBUG_OIDC_CONFIG=(1,2,3)

The server stats for OIDC-related functionality have been consolidated:

Security.OIDC.Providers.Configured
Security.OIDC.Providers.Initialized
Security.OIDC.Providers.BearerCapable
Security.OIDC.Providers.LoginCapable
Security.OIDC.Providers.LastChecked
Security.OIDC.JWKs.Cached
Security.OIDC.JWKs.Cache.Hits
Security.OIDC.JWKs.Cache.Misses
Security.OIDC.JWKs.Cache.Expired
Security.OIDC.Bearer.Success
Security.OIDC.Bearer.Failures
Security.OIDC.Auth.Login.Success
Security.OIDC.Auth.Login.Failures
Security.OIDC.Auth.Logout.Success
Security.OIDC.Auth.Logout.Failures