Domino AppDev Pack

1.0.0

Domino configuration

IAM uses the Domino database to store its data. This page describes how to set up the Domino server to host the IAM database.

Prerequisites

Setup Proton

To set up Proton, follow the Proton Administration guide. Be sure to enable the following two settings:

Setup ID Vault

The sensitive information that stored inside the Domino database need be encrypted. To provide the encryption support for the data, ID Vault need be created. Please follow the official guide to setup the ID Vault.

Create functional ID for IAM

Create a Domino functional ID for IAM and ensure the id file is synced into ID Vault:

  • Open Domino Administrator's People & Groups tab, click Tools -> People -> Register... in the right sidebar
  • Input your server's certificate id password in prompt dialog
  • In the opened Register Person dialog, input the user's name and password Create function ID
  • In the ID Info tab, please ensure the ID was in ID vault Ensure user in ID vault
  • Click the green tick button and Register All button to create the user. The new created user would be added into ID vault after it created.

Note: Please ensure the functional ID is in ID Vault.

Create Proton client certificate for IAM

Create a Proton client certificate bound with the IAM's functional ID. IAM requires this certificate to access Domino. You can check Proton Administration to see how to configure it. Below is a cheat sheet of the steps:

  • Create private key with passphrase:

    openssl genrsa -des3 -out iamapp.key 4096

  • Create CSR for the client certificate:

    openssl req -new -key iamapp.key -out iamapp.csr -subj "common name" -sha256

    Note: you need to update "common name" to the IAM's functional ID's canonical name. The name format looks like: /O=hcl/CN=IAMAccessor

  • Sign with Proton's CA:

    The csr file then needs to be signed by your Proton server's Certificate Authority. If the CA is managed by yourself, you can use openssl to sign the certificate like below:

    openssl x509 -req -in iamapp.csr -CA ca.crt -CAkey ca.key -out iamapp.crt -CAserial ca.seq

    Note: the ca.crt, ca.key and ca.seq are the same ones used to sign your Proton Domino server certificate.

  • Import the client certificate into functional ID user document Add certificate into user

Generate IAM storage database

The Domino template file template/iam-store.ntf is provided with the IAM installation package. Complete the following steps to create a database from it and to configure the database to store the IAM data.

Create the database with template

  • Copy the iam-store.ntf into Domino server /local/notesdata directory
  • Open the Files tab in the IBM Domino Administrator
  • Click Top Left menu: File -> Application -> New...
  • In the opened dialog, choose your server name from the drop down list, input the title as iam-store, and update the File name to iam-store.nsf.
  • In the 'Specify Template for New Application' part in the dialog, choose your server and select the 'iam-store.ntf' template
  • Click OK to create the application
  • In Files tab, press F9 to refresh the file list, you'll find the iam-store.nsf just created

Create database from template

Add ACL for the database

IAM's functional ID need to be added to the DB's ACL:

  • In Domino Administrator, in Files tab, find and select the iam-store.nsf
  • Click the Manage ACL... from the right side bar under Database section
  • Click 'Add...' button to add the Functional ID in the opened dialog
  • Check the [_ReadAllItems] role for the above Function ID you added and click OK button

Add ACL for database

Sign the database for running agent

IAM DB needs to be able to run server side agent. Please sign the DB with the server id:

  • In Domino Administrator, in Files tab, find and select the iam-store.nsf
  • Right click it, and select "Sign..." from the opened context menu
  • Select "Active Server's ID" radio button and click OK button to sign the database with server id file

Sign iam-store.nsf database

Note: We are working on simplifying the setup steps, this step will be removed in the future formal release.

Add the database into design catalog

The created iam-store.nsf needs to be added into the design catalog to make it searchable:

  • In Domino's server console, issue this command:

    load updall iam-store.nsf -e

    to add the database to the catalog, you can see below similar output in the console

    $ Updating views in /local/notesdata/iam-store.nsf
  0 catalog documents removed, 12 view designs cataloged out of 12 total with 24 collations in 66.842 msecs
$ Index update process shutdown

  • You can find a GQFDsgn.cat file under /local/notesdata directory after above execution

Check Outputs

As a result of the previous steps, now you have:

  • IAM's Domino Functional ID in ID Vault.
  • IAM storage database with correct access in the ACL.
  • Proton client certificate bound with the functional ID.
  • The key of the client certificate with passphrase protection.
  • If Proton uses a non-trusted CA, please also prepare the PEM format CA file.

Troubleshooting

You can refer the Troubleshooting page if you encounter error when connecting to Proton.

PreparationIAM Configuration