IAM configuration
This document describes how to setup IAM from the original downloaded package
file: domino-iam-service.tgz.
Note: Complete the steps on Preparation and Domino configuration pages before you do the IAM server setup.
IAM package structure
Decompress the domino-iam-service.tgz package file, you'll see it contains these files:
domino-iam-service/
| admin-client/
| config/
| | certs/
| | | ca/
| | | | README.md
| | local.properties
| dependencies/
| template/
| | iam-store.ntf
| utility/
| | changePassword.js
| | setup.js
| views/
| package.json
| iam-server.js
| package-lock.json
Package structure:
views directory contains the default UI pages for login/logout/interaction operations. You can customize your own pages follows guide of UI Customization
template directory contains the IAM storage template file which you can use to create a domino db file with the guide of Domino configuration
admin-client directory contains the UI pages for IAM admin to use to create or management application or configuration settings. Detail guide can be found IAM management
config folder contains an empty configuration file for user to config. IAM configurations will be written to this file in setup process.
- config/certs folder is the placeholder of IAM certificate files.
- config/certs/ca folder is the placeholder of IAM trust store. The CA certificates which will be trusted by IAM are supposed to be placed here.
Install npm dependency packages
IAM's dependency packages need to be downloaded and installed by npm. Please make sure that your server has network connectivity and use the following command for package installation:
cd domino-iam-service
npm install
Prepare for HTTPS configuration
HTTPS/SSL is mandatory for IAM server. Secure Sockets Layer (SSL) certificate enable secure communication between client application and IAM server. Admin will configure SSL for IAM server in setup.
Step 1: Before setting up IAM server, put
- the IAM server private key (if encrypted, only RSA encryption is supported)
- The PEM format IAM server certificate (concatenate with the intermediate CA chain file if the certificate is signed by an intermediate CA).
into
config/certsfolder.Note: For certificate/private key issue, please check Preparation
Step 2: Put the root CA certificate into IAM trust store folder:
config/certs/caif the IAM server certificate is NOT signed from well-known trusted CA.
Prepare for Domino storage connection
IAM server stores data in Domino storage. See Domino configuration to prepare for Domino storage.
IAM uses client certificate based authentication to connect to Domino storage.
Put the following key and certificate files into config/certs folder.
- Domino Proton client certificate
- Domino Proton client key
If Domino Proton certificate is not signed by a well-known trusted Certificate Authority,
put the root CA certificate (and all intermediate CA certificates) into IAM
trust store folder: config/certs/ca.
Configure Trust store in IAM
To ensure security, IAM supports TLS/HTTPS when communicate with other servers.
IAM does certificate verification in TLS communications, so if your certificate is signed by an internal CA instead of a well-known trusted CA, please put the PEM format of CA certificate (including the intermediate CAs) into IAM trust store (config/certs/ca folder) to make sure IAM trust it.
IAM enforces HTTPS communication between IAM server and IAM Admin server. Please make sure IAM server certificate is signed by a well-known CA or put the CA certificate into trust store.
IAM enforces TLS communication between IAM server and Domino Proton server. Please make sure the certificate of Domino Proton server is signed by a well-known CA or put the CA certificate into trust store.
IAM support LDAPS (based on TLS) between IAM server and LDAP server (Domino or Active Directory). Please make sure certificate for LDAPs server is signed by a well-known CA or put the CA certificate into trust store.
IAM setup
Setup IAM with the following command:
~/domino-iam-service$ npm run setup
Part 1: Config IAM Admin username/password
IAM provides Admin service on a separate port when launches. this account allows you to login the admin service and manage your IAM server.
Welcome to IAM Setup
? IAM Admin username: admin
? Enter IAM Admin password: [hidden]
? Enter IAM Admin password again: [hidden]
Admin password is set successfully
Part 2: Config IAM server password
The password to protect your server safety and will be required when you launch IAM. Please make sure you remember it and never expose it to any unintended person.
? Enter IAM server password: [hidden]
? Enter IAM server password again: [hidden]
Server password is set successfully
Part 3: Config Issuer
About to config The URL of issuer.
? IAM Service ISSUER: https://iam-server.com
Following configuration have been input for The URL of issuer --
issuer - https://iam-server.com
? Confirm? Yes
Config the issuer URL in this step:
| Setting Name | Setting Description |
|---|---|
| IAM Service ISSUER | should be configured to be the IAM service URL which expose service to client applications. It should be the server url itself if it is a local server. Or it should be the proxy URL if we put a load balance in front of it. |
Note: If your IAM server doesn't serve on default HTTPs port, you need to input port as part of the issuer, like:
https://iam-server.com:6443
Part 4: Config port settings
About to config Port Settings.
? IAM service's port: 443
? ADMIN service's port: 8443
Following configuration have been input for Port Settings --
IAM service's port - 443
ADMIN service's port - 8443
? Confirm? Yes
This part config the IAM service port and IAM Admin service port settings.
| Setting Name | Setting Description |
|---|---|
| IAM service's port | The IAM service port number |
| ADMIN service's port | The IAM Admin service port number |
Part 5: Config SSL settings
About to config SSL Settings.
? IAM server's ssl key file path (relative to 'config/certs' folder): iam.key
? Server's ssl cert file path (relative to 'config/certs' folder): iam.crt
? Server's ssl key password: [hidden]
Following configuration have been input for SSL Settings --
IAM server's ssl key file path - config/certs/iam.key
Server's ssl cert file path - config/certs/iam.crt
Server's ssl key password - ***
? Confirm? Yes
This part is used to setup SSL configuration of IAM server.
| Setting Name | Setting Description |
|---|---|
| IAM server's ssl key file path (relative to 'config/certs' folder) | IAM server's private key |
| Server's ssl cert file path (relative to 'config/certs' folder) | IAM server certificate |
| Server's ssl key password | password of IAM server's private key |
Part 6: Config storage settings
About to config Storage Settings.
? Hostname of the Domino server: domino-server.hcl
? Domino's Proton service port: 447
? IAM's storage nsf file path, a relative path to Domino data path: iam-store.nsf
? IAM's Proton client cert file path (relative to 'config/certs' folder): config/certs/app3.crt
? IAM's Proton client cert key file path (relative to 'config/certs' folder): config/certs/app3.key
? The key file's protection passphrase: [hidden]
? The cert's bounded functional ID's password: [hidden]
Following configuration have been input for Storage Settings --
Domino server host name - domino-server.hcl
Domino Proton service port - 447
Storage nsf file - iam-store.nsf
Domino Proton client cert - config/certs/app3.crt
key for the client cert - config/certs/app3.key
Passphrase of key file - ***
Functional ID's password - ***
? Confirm? Yes
This part settings configure the database setting to store the IAM data into database.
| Setting Name | Setting Description |
|---|---|
| Hostname of the Domino server | The Domino server's host name |
| Domino's Proton service port | The proton connection port, it must be same as the configured on Domino server |
| IAM's storage nsf file path (e.g: <iam-store.nsf>) | The database name including the path, the path is a relative path to the Domino data directory(e.g. /local/notes/data/). |
| IAM's Proton client cert file path (relative to 'config/certs' folder) | client certificate |
| IAM's Proton client cert key file path (relative to 'config/certs' folder) | client private key |
| The key file's protection passphrase | client private key password |
| The cert's bounded functional ID's password | ID file password |
Note: A database (nsf file) should be created from IAM storage template before you use it. Reference Domino configuration to setup database.
Confirmation
? Confirm with those configuration? Yes
IAM Server setup completed.
NOTICE: The configuration file has been encrypted.
NOTICE: Original configuration file has been renamed to *.[timestamp].bak file,
please delete it after confirmation to keep confidential.
Tips:
- After Each group of Settings, there will be a confirm prompt, you can change your settings by input n.
- After all Settings are set, there will be a final confirm prompt, you can select a group(or many groups) to change by: inputting No and then select a group via arrow button:
? Confirm with those configuration? No ? What setting do you want to edit again? The URL of issuer ❯ Port Settings SSL Settings Storage Settings
Start IAM server
Execute below command under IAM root folder:
~/domino-iam-service$ npm start
Enter IAM server password to start IAM server when you see below output:
Start to unlock config:
? Enter current IAM server password: [hidden]
Below output messages indicates IAM server has been started successfully:
[13:16:23][info][initServices]: Start IAM service on port 443
[13:16:23][info][initServices]: IAM service serves on port 443
[13:16:23][info][initServices]: Start Admin service on port 8443
[13:16:23][info][initServices]: Admin service serves on port 8443
Then you can access IAM server in your browser.
Tips: As in up example, issuer is set to
https://iam-server.comand admin service port is8443, so you can visit:
- IAM service:
https://iam-server.com- Admin service:
https://iam-server.com:8443
Next step: Configure IDP to connect with LDAP
The next step will be setting IDP through IAM Admin service.
See Configure IDP section in IAM management