Domino AppDev Pack

1.0.0

Preparation

Before officially setup IAM, you need to prepare several things:

Prepare server to run IAM

You need to prepare a server to run IAM.

Install Node.js

IAM's strategy is to support the LTS version of Node.js. The current supported version is V8.12.0, which can be found from the official site.

Hint: To check your current Node.js version, use the following command: node --version

Decide the host name of your server

IAM needs a fixed host name so that all registered applications can find it. Changing the host name after IAM configuration will affect all registered applications. Before setup, please consider carefully which host name to use for your IAM service.

Prepare Domino server to host the IAM data nsf

IAM uses domino-db module to communicate with Domino, so Domino V10.0.1 is required.

And you need to:

  • Configure Proton on this Domino server. IAM uses advanced data encryption features provided by Proton.
  • Enable the ID vault.

Please reference the prerequisites part in Domino configuration for details.

Prepare SSL certificate for IAM server

As a security service, IAM uses HTTPS for the communication channel. To support HTTPS, prepare a certificate for the IAM server.

Note: IAM only supports PEM format certificate file and private key. If your files are PKCS (.p12) format, you first need to convert the format.

Below steps show how to prepare the certificate with openssl, You can use another tool, if you prefer.

Step 1: Create a private key

Create a private key for IAM:

Example:

openssl genrsa -aes256 -out iamserver.key 2048

Note: Please enable passphrase protection on your iamserver.key PEM file. If your key file is generated without protection, openssl can be used to add passphrase protection to your key:

openssl rsa -aes256 -in iamserver.key -out rsa_encrypted_server.key

Step 2: Create a CSR (Certificate Signing Request) file

Creating a CSR file. This file will contain IAM server information and be given to Certificate Authority when applying for an SSL Certificate.

Example:

openssl req -key iamserver.key -new -sha256 -out iamserver.csr

You will need to input the certificate information to create the csr.

Note: Make sure the common name field matches the IAM server host name.

Step 3: Send the CSR to Certificate Authority to get the certificate

Then you can provide the CSR file to a Certificate Authority (CA) to get the certificate. The CA will need to send you back the following certificates:

  • The PEM format of root CA certificate file if the CA is not a well-known trusted CA.
  • The server certificate for IAM server (in PEM format).
  • The CA chain file which contains the PEM format certificates of intermediate CA(s).

Please concatenate (2) (3) together into one final certificate file. This certificate file will be deployed in IAM setup process.

The final certificate file may look like this:

-----BEGIN CERTIFICATE-----
[content of server certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[content of intermediate CA certificate]
-----END CERTIFICATE-----
...

The order of certificates in certificate file doesn't matter.

Note: If you are using an internal CA to sign your certificate, below sample script demonstrates how to sign the server certificate with the internal CA.

openssl x509 -passin pass:<password of CA key file> -req -days 365 -in
iamserver.csr -CA <your CA certificate file> -CAkey <your CA key file>
-out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256

Example:

openssl x509 -passin pass:passw0rd -req -days 365 -in iamserver.csr -CA ca.crt
-CAkey ca.key -out iamserver.crt -CAcreateserial -CAserial ca.seq -sha256

Check Outputs

As a result of the previous steps, now you have:

  • A server to run IAM with:

    • Node.js installed.
    • Fixed host name assigned.

  • Certificate and private key for IAM server:

    • The PEM format IAM server certificate. (concatenate with the intermediate CA chain file if the certificate is signed by an intermediate CA).
    • The private key protected by passphrase.
    • The passphrase of the key file.

  • The certificate of the root CA.

    IAM server certificate is recommended to use SSL certificate from a well-known trusted Certificate Authority. But if the SSL certificate is NOT signed from trusted CA, the certificate of the root CA will also be needed in IAM setup.

  • Domino server with Proton is well configured.

  • Domino ID Vault is enabled.

OverviewDomino Configuration