IAM Configuration
This document describes how to set up IAM from the original downloaded package
file: domino-iam-service-2.2.0.tgz.
Note: Complete the steps on the Preparation and Domino Configuration pages before you do the IAM server set up.
IAM package structure
Decompress the domino-iam-service-2.2.0.tgz package file. It contains these files: files:
domino-iam-service/
| admin-client/
| config/
| | certs/
| | | ca/
| | | | README.md
| dependencies/
| utility/
| | changePassword.js
| | setup.js
| views/
| package.json
| iam-server.js
| package-lock.json
Package structure:
views directory contains the default UI pages for login/logout/interaction operations. To customize these pages, see UI Customization
admin-client directory contains the pages that the IAM administrator uses to configure IAM and manage applications. For information, see IAM Management
config folder is where IAM configuration settings are saved after setup.
- config/certs holds the IAM certificate files.
- config/certs/ca holds the CA certificates that are trusted by IAM.
Installing IAM
IAM's dependency packages need to be downloaded and installed by npm. Please make sure that your server has network connectivity and use the following command for package installation:
cd domino-iam-service
npm install
Prepare for HTTPS configuration
HTTPS/SSL is mandatory for the IAM server. Secure Sockets Layer (SSL) certificates enable secure communication between client application and IAM server. Admin will configure SSL for the IAM server during setup.
1: Before setting up IAM server, put
- the IAM server private key (Only RSA private key is supported)
- the PEM format IAM server certificate (Concatenate with the intermediate CA chain file if the certificate is signed by an intermediate CA).
into
config/certsfolder.Note: For more information, see Preparation
2: Put the root CA certificate into IAM trust store folder:
config/certs/caif the IAM server certificate is NOT signed from well-known trusted CA.
Prepare for Domino storage connection
IAM server stores data in Domino storage. See Domino Configuration to prepare for Domino storage.
IAM uses client certificate-based authentication to connect to Domino storage.
Put the following key and certificate files into config/certs folder.
- Domino Proton client key (Only RSA private key is supported)
- Domino Proton client certificate
If Domino Proton certificate is not signed by a well-known trusted Certificate Authority,
put the root CA certificate (and all intermediate CA certificates) into IAM
trust store folder: config/certs/ca.
Configure Trust store in IAM
To ensure security, IAM supports TLS/HTTPS when communicating with other servers.
IAM does certificate verification in TLS communications, so if your certificate
is signed by an internal CA instead of a well-known trusted CA, please put the
PEM format of CA certificate (including the intermediate CAs) into IAM trust
store (config/certs/ca folder) to make sure IAM trust it.
IAM enforces HTTPS communication between IAM server and IAM Admin server. Please make sure the IAM server certificate is signed by a well-known CA or put the CA certificate into trust store.
IAM enforces TLS communication between IAM server and Domino Proton server. Please make sure the certificate of Domino Proton server is signed by a well-known CA or put the CA certificate into trust store.
IAM support LDAPs (based on TLS) between the IAM server and LDAP server (Domino or Active Directory). Please make sure certificate for the LDAPs server is signed by a well-known CA or put the CA certificate into trust store.
IAM set up
Set up IAM with the following command:
~/domino-iam-service$ npm run setup
Step 1: Configure the IAM Admin credentials
Create and user name and password to be used to log in to the IAM Admin service.
Welcome to IAM Setup
? IAM Admin username: admin
? Enter IAM Admin password: [hidden]
? Enter IAM Admin password again: [hidden]
Admin password is set successfully
Step 2: Configure the IAM server password
Create a password for the IAM server to provide when you start the server. Do not share the password.
? Enter IAM server password: [hidden]
? Enter IAM server password again: [hidden]
Server password is set successfully
Step 3: Configure the URL for the IAM service
Configure the IAM service URL that client applications use to access the service:
| Setting Name | Setting Description |
|---|---|
| IAM Service ISSUER | Either the server URL (if local server) or a proxy URL (if load balancer is used). |
Note: If your IAM server doesn't serve on the default HTTPs port, 443, you need to input port as part of the issuer, like
https://iam-server.com:6443
About to config The URL of the issuer.
? IAM Service ISSUER: https://iam-server.com
Following configuration have been input for The URL of the issuer --
issuer - https://iam-server.com
? Confirm? Yes
Step 4: Configure addresses
Configure the IAM service address and the IAM Admin service address.
| Setting Name | Setting Description |
|---|---|
| IAM service's host | The host that IAM service will listen on. '[default]': accept the request from all network interfaces; '0.0.0.0': accept all requests from IPv4; hostname/ip: only accept the request from a specified host. |
| IAM service's port | The IAM service port number |
| ADMIN service's host | The host that IAM Admin service will listen on. '[default]': accept the request from all network interfaces; '0.0.0.0': accept all requests from IPv4; hostname/ip: only accept the request a specified host. |
| ADMIN service's port | The IAM Admin service port number |
About to config Address Settings.
? IAM service's host(leave as '[default]' to accept the request from all network interfaces):
? IAM service's port: 443
? ADMIN service's host(leave as '[default]' to accept the request from all network interfaces):
? ADMIN service's port: 8443
Following configuration have been input for Address Settings --
IAM service's host - [default]
IAM service's port - 443
ADMIN service's host - [default]
ADMIN service's port - 8443
? Confirm? Yes
Step 5: Configure SSL settings
Configure SSL settings on the IAM server:
| Setting Name | Setting Description |
|---|---|
| IAM server's SSL key file path (relative to 'config/certs' folder) | IAM server's private key |
| Server's SSL key password | password of IAM server's private key |
| Server's SSL cert file path (relative to 'config/certs' folder) | IAM server's certificate |
About to config SSL Settings.
? IAM server's SSL key file path (relative to 'config/certs' folder): config/certs/iam.key
? Server's SSL key password: ********
? Server's SSL cert file path (relative to 'config/certs' folder): config/certs/iam.crt
Following configuration have been input for SSL Settings --
IAM server's SSL key file path - config/certs/iam.key
Server's SSL key password - ***
Server's SSL cert file path - config/certs/iam.crt
? Confirm? Yes
Step 6: Configure storage settings
Configure the IAM database settings:
| Setting Name | Setting Description |
|---|---|
| Hostname of the Domino server | The Domino server's hostname |
| Domino's Proton service port | The proton connection port. The same port that is configured on Domino server |
| IAM's storage nsf file path (e.g: iam-store.nsf) | The database name including the path. The path is relative to the Domino data directory. |
| IAM's Proton client cert file path (relative to 'config/certs' folder) | client certificate |
| IAM's Proton client cert key file path (relative to 'config/certs' folder) | client private key |
| The key file's protection passphrase | client private key password |
| The cert's bounded functional ID's Notes password | ID file password |
Note: You must create the database (NSF file) using the IAM storage template. For more information, see Domino Configuration
About to config Storage Settings.
? Hostname of the Domino server: domino-server.hcl
? Domino's Proton service port: 447
? IAM's storage nsf file path, a relative path to Domino data path: iam-store.nsf
? IAM's Proton client cert key file path (relative to 'config/certs' folder): config/certs/proton.key
? The key file's protection passphrase: [hidden]
? IAM's Proton client cert file path (relative to 'config/certs' folder): config/certs/proton.crt
? The cert's bounded functional ID's Notes password: ***
Following configuration have been input for Storage Settings --
Domino server hostname - domino-server.hcl
Domino Proton service port - 447
Storage nsf file - iam-store.nsf
key for the client cert - config/certs/proton.key
The key file's protection passphrase: - ***
Domino Proton client cert - config/certs/proton.crt
Functional ID's Notes password - ***
? Confirm? Yes
Confirmation
? Do you want to change some configuration? No, the listed above will be saved to local.properties.
IAM Server setup completed.
NOTICE: The configuration file has been encrypted.
NOTICE: Original configuration file has been renamed to *.[timestamp].bak file, please delete it after confirmation to keep confidential.
Tips:
- After Each group of Settings, there is a confirmation prompt. Enter
nto change your settings.- After all settings are input, you see the following prompt, which allows you to change settings. To change any settings, input
Yesand use the arrows to select the group of settings to change.? Do you want to change some configuration? Yes. ? What setting do you want to edit again? The URL of the issuer ❯ Address Settings SSL Settings Storage Settings
Start the IAM server
Execute the following command from the IAM root folder:
~/domino-iam-service$ npm start
Enter the IAM server password when you see the following prompt:
Start to unlock config:
? Enter current IAM server password: [hidden]
The following output indicates that the IAM server has started successfully:
[01:48:05][info][initServices]: Start IAM service on allAddress:443
[01:48:05][info][initServices]: IAM service serves on port 443
[01:48:05][info][initServices]: Start Admin service on allAddress:8443
[01:48:05][info][initServices]: Admin service serves on port 8443
Then you can access the IAM server from a browser.
Tips: For example, if the issuer URL is set to
https://iam-server.comand admin service port is8443, visit:
- IAM service:
https://iam-server.com- Admin service:
https://iam-server.com:8443
Next step: Configure IDP to connect with LDAP
The next step will be setting IDP through IAM Admin service.
See Configure IDP section in IAM Management