Configuration
Proton is a Domino server add-in task that is part of the Domino AppDev Pack. The purpose of this task is to execute remote requests from applications written to use the domino-db API. Proton enables remote applications written in Node.js or Java that use the domino-db API to perform read/write operations on documents in a server database.
Configuration Settings
Each Domino server that runs Proton must have a Proton configuration document
in the adpconfig.nsf
database. See Domino Installation
for information about creating the database on your Domino server.
There are two ways to create a configuration document in the Proton section of the database:
Select Add Server Configuration -> For new server... to create a configuration document for a server with the default settings.
Select Add Server Configuration -> Import server INIs.. to copy the notes.ini configuration settings from a server that was previously configured for the AppDev Pack before the 1.0.5 release.
The following sections describe the settings in the configuration document.
Server Settings
Domino Server Name
Identifies the name of the Domino server that uses the configuration document. Each Domino server that runs Proton must have its own configuration document.
If you try to start Proton on a Domino server that doesn't have a configuration document, Proton generates the following error and stops:
PROTON: Unable to find configuration document for '...' in database 'adpconfig.nsf': Entry not found in index
Enabled
Controls whether Proton is enabled on the given server. A change to this setting takes effect the next time Proton starts.
Listen Address
Controls the IP address Proton uses to listen for incoming network connections. Use "127.0.0.1" to bind to the local address. (Proton accepts connections only from the local machine.) Use "0.0.0.0" to bind to all IP addresses available on the machine. Otherwise, use another IP address that is available on the local machine.
Listen Port
Controls the port Proton uses to listen for incoming network connections. Specify a port that is available for use on the machine. For testing only, you can specify 0 to enable Proton to select a random, available port on the machine.
SSL Settings
Enable SSL/TLS connections
Enable this setting to allow Proton to accept TLS encrypted and authenticated connections. If enabled, you must provide a Domino Keyring File that contains the private key for the Proton server and one or more root certificates for establishing trust with clients.
Disable this setting to allow Proton to accept unencrypted and unauthenticated connections. This is a valid option if domino-db applications require only Anonymous access to Domino data.
Proton does not accept both encrypted and unencrypted requests at the same time.
Keyring File
Provide the name of the keyfile created with the Domino kyrtool
. The keyfile
must have the private key for the Proton add-in task. The file path is relative
to the Domino server's data directory.
See this page for more information about creating the keyfile.
See this page for more information about using the Domino KYRTool.
Authentication
Client authentication
Controls how Proton authenticates clients. Valid options are:
Client Certificate
- Authentication occurs through a client certificate is that mapped to a Person document in the server's directory. Access to data is calculated based on this identity. Proton must be enabled for TLS.Anonymous
- All requests are made as theAnonymous
user identity. This name does not need to appear in the directory, but it does need to be given access in database ACLs. This option is available with and without TLS being enabled.
Enable Act-as-User Tokens
Indicates whether Act-as-User requests are available to domino-db
applications. When disabled, Act-as-User requests will fail with the
FEATURE_NOT_ENABLED
error.
This setting is available only when TLS is enabled with client certificate authentication.
See this page for more information about the Act-as-User feature.
IAM Client Configuration Name
Identifies the name used with the oauthcfg
tool to store the IAM
introspection credentials that Proton uses to complete Act-as-User
requests. The introspection credentials are created by IAM when you register
the Proton Resource Provider. You then store these credentials in the Domino
credential store using the oauthcfg
tool under a name that you provide with
the oauthcfg create
command. Proton uses the value of this setting to find
the credentials and URL to use to make introspection requests to the
IAM service.
See the this page for more details about the oauthcfg
tool.
This setting is available when TLS is enabled with Client Certificate Authentication.
Get ID file wait
Limits on the amount of time a request waits to retrieve an ID file from the ID vault. Proton applies this setting when domino-db requests require access to an application's ID file.
Administrative Operations
Allow administrative operations
Controls whether applications can create or delete Domino databases in the
Domino data directory. When this setting is disabled and an application attempts
to create or delete a database, Proton responds with the FEATURE_NOT_ENABLED
error.
This setting is only available when TLS is enabled with Client Certificate Authentication.
Act-As-User configuration
Controls whether applications can perform Act-as-User operations. Only listed applications can perform 'Act-as-User' operations. When 'Act-as-User' operations are attempted on an application that is not listed, a 'NOT_AUTHORIZED' error is returned.
This configuration is enabled when the Act-as-User tokens and Allow administrative operations Features are enabled.
An application can perform 'Act-as-User' operations when the administrator has added API-specific configuration that allows them. The configuration can specify the application's functional ID or specify local groups that contain the application's functional ID.
'Act-as-User operation Rules' for details.
Note: ReferCreate/Delete databases
Controls which applications can list, through 'Act-as-User' operations, can create or delete Domino databases in the Domino data directory.
When this list is empty, no applications can can create or delete Domino databases.
List Domino databases
Controls which applications can list, through 'Act-as-User' operations, the Domino databases in the Domino data directory.
When this list is empty, no applications can list the Domino databases.
Session Limits
Session cache TTL
Controls the amount of time Proton caches the authentication entry for an application request or an Act-as-User request.
See the session cache section for more details.
Session cache max entries
Controls the number of authentication entries that Proton caches.
See the session cache section for more details.
Document Limits
Maximum note count
Controls the maximum number of documents Proton processes in a query found set. By default, Proton processes a maximum of 200 documents per request. A domino-db application may request more than the limit, but Proton caps the result size to this limit.
Warning: If Proton executes many simultaneous queries with large found sets, this setting can affect overall performance. You should find the right balance based on the applications running in your enterprise.
Attachments
Enable writing of attachments
Controls whether applications can write attachments to a Domino
database. When this setting is disabled and an application attempts to write
an attachment, Proton responds with the FEATURE_NOT_ENABLED
error.
Maximum attachment size
Limits the attachments that can be written to Domino databases to the specified size, in megabytes (MB). A value of 0 (default) indicates no limit and that attachments of any size can be written.
Minimum attachment chunk size
Controls the minimum chunk size Proton uses when clients read an attachment. By default, the minumum chunk size is 4 KB. Specify a value between 1 KB to 8 KB.
This setting is the low value constraint in the chunkSizeKb
of all the
attachment related calls in the domino-db API.
Maximum attachment chunk size
Controls the maximum chunk size Proton uses when clients read an attachment. By default, the maximum chunk size is 32 KB. Specify a value from 8 KB to 64 KB.
This setting is the high value constraint in the chunkSizeKb
of all the
attachment related calls in the domino-db API.
Rich Text
Allow reading/writing of rich text
Controls whether applications can read and write rich text fields in a Domino
database. When this setting is disabled and an application attempts to read or
write a rich text field, Proton responds with the FEATURE_NOT_ENABLED
error.
Maximum rich text size
Limits rich text fields that can written to databases. The default is 1024 MB.
Minimum rich text chunk size
Controls the minimum chunk size Proton uses when clients read rich text fields. By default, the minumum chunk size is 4 KB. Specify a value from 1 KB to 8KB.
This setting is the low value constraint in the chunkSizeKb
of all the
rich text related calls in the domino-db API.
Maximum rich text chunk size
Controls the maximum chunk size Proton uses when clients read rich text fields. By default, the maximum chunk size is 32 KB. Specify a value from 8KB to 64 KB.
This setting is the low value constraint in the chunkSizeKb
of all the
rich text related calls in the domino-db API.
Rate Limits
See the rate limit section for additional details.
Enable Act-as-User token rate limit
Controls whether rate limiting for the bad Act-as-User requests feature is enabled. Disabling is less secure. This setting is automatically disabled if Act-as-User is disabled.
Maximum number of applications in history
Controls the number of applications that Proton maintains for the purpose of identifying bad acting applications.
Number of bad requests allowed per application
This is a two value setting. The first value controls the number of bad requests allowed by an application. The second value controls the amount of time for bad requests from an application.
Jail time for abuse
Controls the amount of time applications are put in "jail" for
sending abusive requests. Requests from a jailed application fail with
the RATE_LIMIT_DENIED
error.
Agents
Allow agents to execute
Controls whether domino-db agent.run() calls are allowed to execute. By default, an application using domino-db is allowed to run agents when database permissions allow it. A change to this setting requires a restart of Proton task.
JVM min heap
An optional parameter that Proton passes to the JVM at initialization to
specify the initial size, in bytes, of the memory allocation pool. This
setting is equivalent to the -Xms
command line option used when running a
Java application. Changes to this setting requires a restart of the Proton
task.
If blank, JVM uses it's default value.
JVM max heap
An optional parameter Proton passes to the JVM at initialization to specify
the maximum size, in bytes, of the memory allocation pool. This setting is
equivalent to the -Xmx
command line option used when running a Java
application. Changes to this setting requires a restart of the Proton task.
If blank, JVM uses it's default value.
About the session cache
Requests from the domino-db module are authenticated. This operation includes the following steps which can be expensive to perform on every request:
- Directory lookup to identify the functional id in the Domino directory
- Client certificate validation against the Domino directory
- Building of the nameslist and group expansion for the functional id
- Retrieval of the id file for the functional id when needed
If it is an Act-as-User request, then the following steps are also performed:
- Introspection call to the IAM service to verify the access token and retrieve the user information.
- Directory lookup to identify the Act-as-User id in the Domino directory
- Build the nameslist with group expansion for the Act-as-User id
To improve application peformance, the result of these operations are cached for the amount of time specified in the Session cache TTL setting. Proton will cache at most Session cache max entries. When the cache reaches this limit the least recently used entries are removed from the cache.
For better performance, minimize the number sessions removed from the cache due of the cache size limit. For better security keep the cache TTL low.
About bad request rate limits
When processing Act-as-User requests, Proton makes introspection calls to the IAM service to validate OAuth2 tokens. When unable to validate a token, Proton attempts again the next time the token is used. By default, if an application makes 50 failed validation requests within 1 minute, Proton refuses additional requests, sends the message "Service Refused," and "jails" the offending application for 2 minutes. This feature prevents rogue or malfunctioning applications from making excessive validation requests that can consume resources and degrade the server.
All requests from a jailed application are refused, including requests from
the application and Act-as-User requests. Refused requests and other failed
Act-as-User requests are logged as errors in the console with the prefix
PROTON: NotAuthorized:
.
See these settings to change related the default settings.
Working with the Proton add-in task
This section provides additional details related to using the Proton task as an administrator.
Starting and stopping the Proton add-in task
Use the load
Domino server console command to load the Proton task:
> load proton
PROTON: Build 0.7.0-16
PROTON: Server initializing
JVM: Java Virtual Machine initialized.
PROTON: Listening on 0.0.0.0:3003, SSL-ENABLED
PROTON: Server initialized
Use the tell
command to shutdown the Proton task:
> tell proton quit
PROTON: Server stopping
PROTON: Server exited
Automatically start Proton at Domino Server startup
The Domino notes.ini setting ServerTasks
contains all the task names to
automatically load at server startup. Add Proton to this notes.ini
setting. You can edit the server's notes.ini directly with an editor if the
server is not running. Or use Domino server console commands to add
PROTON
to the list. For example:
> show config servertasks
SERVERTASKS=Replica,Router,Update,AMgr,Adminp,Sched,CalConn,RnRMgr,LDAP
> set config SERVERTASKS=Replica,Router,Update,AMgr,Adminp,Sched,CalConn,RnRMgr,LDAP,PROTON
Show Configuration
To inspect the current Proton configuration settings, use the tell proton showconfig
Domino server console command. Proton periodically checks for
updates to its configuration document. The command also forces Proton to read
the latest configuration settings.
> tell proton showconfig
Proton: Version : "..."
Proton: Configuration : "'...' loaded from note 2298"
Proton: Enabled : True
Proton: Valid : True
Proton: SSL : True
Proton: Keyfile : "protonserver.kyr"
Proton: Listen Address : "0.0.0.0"
Proton: Listen Port : 3003
Proton: Allow Anonymous : False
Proton: Allow Client Cert : True
Proton: Allow Act-as-User : True
Proton: IAM Client Config : "default"
Proton: Wait time for ID : 18 seconds
Proton: Max Note Count : 200 per request
Proton: Session Cache TTL : 300 seconds
Proton: Session Cache Size : 5000 entries
Proton: Allow Write Attachments : True
Proton: Min Attachment Chunk : 4 KB
Proton: Max Attachment Chunk : 32 KB
Proton: Max Write Attachment Size : 0 MB
Proton: Allow Agent Run : True
Proton: JVM Min Heap : ""
Proton: JVM Max Heap : ""
Proton: Enable Rate Limits : True
Proton: Max Applications : 500
Proton: Max Bad Requests : 50
Proton: Max Bad Requests Time : 60 seconds
Proton: Abuse jail time : 120 seconds
Proton: Enable Rich Text Streaming : False
Proton: Min Rich Text Chunk : 4 KB
Proton: Max Rich Text Chunk : 32 KB
Proton: Max Rich Text Size : 1024 MB
Statistics
The Proton addin task maintains a set of Domino statistics that provide a view
into operational aspects of this service. Access the Proton statistics using
the Domino server console command: show stat proton
.
For example:
> show stat proton
PROTON.Available = 1
PROTON.Available.ElapsedSecs = 585
PROTON.Build = ...
PROTON.RateLimit.Jail.Count = 0
PROTON.RateLimit.Jail.Total.Count = 0
PROTON.RateLimit.Refused.Count = 0
PROTON.RateLimit.RequestHistory.Count = 0
PROTON.RateLimit.RequestHistory.Entries.Bytes = 0
PROTON.RateLimit.RequestHistory.Entries.Count = 0
PROTON.RateLimit.RequestHistory.LockTimeMS = 0
PROTON.RateLimit.RequestHistory.LockWaitTimeMS = 0
PROTON.Requests.Active.Current = 0
PROTON.Requests.Active.Max = 0
PROTON.Requests.Active.Total = 0
PROTON.Request.Errors = 0
PROTON.Request.Errors.OutOfMemory = 0
PROTON.Request.QueryDB = 0
PROTON.Request.QueryDB.Errors = 0
PROTON.Request.QueryDB.Explain = 0
PROTON.Session.Cache1.Count = 0
PROTON.Session.Cache1.Entries.Bytes = 0
PROTON.Session.Cache1.Entries.Count = 0
PROTON.Session.Cache1.LockTimeMS = 0
PROTON.Session.Cache1.LockWait0 = 0
PROTON.Session.Cache1.LockWait1 = 0
PROTON.Session.Cache1.LockWait2 = 0
PROTON.Session.Cache1.LockWaitTimeMS = 0
PROTON.Session.Cache1.Lookup.Expired = 0
PROTON.Session.Cache1.Lookup.Hit = 0
PROTON.Session.Cache1.Lookup.Miss = 0
PROTON.Session.Cache1.Prune.Ejected = 0
PROTON.Session.Cache1.Prune.Expired = 0
PROTON.Session.Cache1.Save = 0
PROTON.Session.Cache1.Save.Miss = 0
PROTON.Session.IdCache.Errors = 0
PROTON.Session.IdCache.GetIdFile.Total.Get.Err = 0
PROTON.Session.IdCache.GetIdFile.Total.Get.Num = 0
PROTON.Session.IdCache.GetIdFile.Total.Get.TimeMS = 0
PROTON.Session.IdCache.GetIdFile.Total.ReGet.Num = 0
PROTON.Session.IdCache.GetIdFile.Total.Wait.Err = 0
PROTON.Session.IdCache.GetIdFile.Total.Wait.Num = 0
PROTON.Session.IdCache.GetIdFile.Total.Wait.TimeMS = 0
PROTON.Session.IdCache.Miss = 0
PROTON.Session.Init.Errors = 0
PROTON.Session.Lookup.Certificate = 0
PROTON.Session.Lookup.Certificate.Errors = 0
PROTON.Session.Lookup.IdVault = 0
PROTON.Session.Lookup.IdVault.ConcurrentMax = 0
PROTON.Session.Lookup.IdVault.Errors = 0
PROTON.Session.Lookup.Token = 0
PROTON.Session.Lookup.Token.Errors = 0
PROTON.Threads.Active.Current = 1
PROTON.Threads.Active.Max = 1
PROTON.Threads.Active.Total = 1
54 statistics found
Notes about the Proton statistics:
Session.Cache1.*
statistics refer to the certificate based authentication cache operations.Session.IdCache.*
statistics refer to the use of the Id Vault cache when an application makes use of encryption operations.Session.Lookup.*
statistics refer to request authentication operations.Request.*
statistics refer to application request operations.RateLimit.*
statistics refer to rate limiting for bad Act-as-User requests data.RateLimit.RequestHistory.Entries.Bytes
- The size, in bytes, of all rate limit history entries.RateLimit.Jail.Count
- The number of applications currently in jail.RateLimit.Jail.Total.Count
- The total number of times any application has been placed in jail.RateLimit.Refused.Count
- The number of requests that have been refused due to the application being in jail.