Configure IAM service
There are two parts to IAM service configuration:
- Items that are configured using a command line setup tool.
- LDAP configuration that is completed after the IAM service is started the first time using a browser.
Configure using command line tool
Start the configuration tool using the npm run setup command. You can also run this tool after initial configuration
to make changes to an existing configuration.
c:\iam>npm run setup
> domino-iam-service@1.3.0 setup c:\iam
> node utility/setup.js
[08:29:54][info][configStore][master]: No configurations found in configuration directory
Welcome to IAM Setup
? Choose setup mode Production.
Setup will ask if you want to setup Production or Pilot mode. Choose Production.
Configure the administration user name and password
? IAM Admin username: admin
? Enter IAM Admin password: ********
? Enter IAM Admin password again: ********
Admin password is set successfully
Configure the server password
Next, setup will ask for you to enter the IAM server password. This is the password that you must enter every time the IAM server (using npm start).
? Enter IAM server password: ********
? Enter IAM server password again: ********
Server password is set successfully
Configure the issuer/IAM service URL
Next, setup will ask for you to enter the URL for administrators and users to use to access the IAM service. The certificate generated by Let's Encrypt (or another CA provider) needs to match the hostname in this URL.
About to config The URL of the issuer.
? IAM Service ISSUER: https://auth.jumbocloudservices.com:7443/
Following configuration have been input for The URL of the issuer --
issuer - https://auth.jumbocloudservices.com/
? Confirm? Yes
Configure the network settings
Setup asks for the network interfaces that IAM service will use to listen for connections. Choose all network interfaces unless you want to limit connections to IAM over specific ip addresses on your machine.
Setup also asks for 2 port numbers. The "IAM service port" is used by web users to login to the IAM service and by other applications to make introspection requests to the IAM service. The "ADMIN service port" is used by administrators to make changes to IAM configuration. Use the "IAM Admin username/password" created above to access the IAM configuration.
About to config Address Settings.
? IAM service's host(leave as '[default]' to accept the request from all network interfaces):
? IAM service's port: 7443
? ADMIN service's host(leave as '[default]' to accept the request from all network interfaces):
? ADMIN service's port: 8443
Following configuration have been input for Address Settings --
IAM service's host - [default]
IAM service's port - 7443
ADMIN service's host - [default]
ADMIN service's port - 8443
? Confirm? Yes
Configure SSL Settings
Setup asks for the SSL certificate and private key related to the IAM service
listening ports. We provide the Let's Encrypt certificate and keys. These
files were copied into the config/certs directory in an earlier step.
About to config SSL Settings.
? IAM server's SSL key file path (relative to 'config/certs' folder): config/certs/auth.jumbocloudservices.com.encrypted
.key
? Server's SSL key password: ****
? Server's SSL cert file path (relative to 'config/certs' folder): config/certs/auth.jumbocloudservices.com.crt
Following configuration have been input for SSL Settings --
IAM server's SSL key file path - config/certs/auth.jumbocloudservices.com.encrypted.key
Server's SSL key password - ***
Server's SSL cert file path - config/certs/auth.jumbocloudservices.com.crt
? Confirm? Yes
Configure storage settings
Setup asks for the following configuration data related to using the Domino server for storing IAM service data. IAM uses the domino-db package and Proton to access the iamstore.nsf database. This configuration data is similar to the data other domino-db based applications need.
- Provide the hostname for IAM service to connect to Domino, and specifically the Proton add-in task. The hostname provided here must match exactly (case sensitive) to the SAN written to the 'appsdb1.crt' file.
- Provide the port number where Proton is listening for connections.
- Provide the database name we created based on the
iam-store.ntfdatabase. - Provide the private key, password, and certificate created by the Internal CA, and is associated with the IAM functional id in the Domino directory.
- Provide the IAM functional id's ID file password.
About to config Storage Settings.
? Hostname of the Domino server: appsdb1.jumbocloudservices.com
? Domino's Proton service port: 3003
? IAM's storage nsf file path, a relative path to Domino data path: iamstore.nsf
? IAM's Proton client cert key file path (relative to 'config/certs' folder): config/certs/iamapp.key
? The key file's protection passphrase: ****
? IAM's Proton client cert file path (relative to 'config/certs' folder): config/certs/iamapp.crt
? The cert's bounded functional ID's Notes password: ********
Following configuration have been input for Storage Settings --
Domino server hostname - appsdb1.jumbocloudservices.com
Domino Proton service port - 3003
Storage nsf file - iamstore.nsf
key for the client cert - config/certs/iamapp.key
Passphrase of key file - ***
Domino Proton client cert - config/certs/iamapp.crt
Functional ID's Notes password - ***
? Confirm? Yes
Summary
Review configuration changes and save when complete.
All configurations are listed below:
Following configuration have been input for The URL of the issuer --
issuer - https://auth.jumbocloudservices.com/
Following configuration have been input for Address Settings --
IAM service's host - [default]
IAM service's port - 7443
ADMIN service's host - [default]
ADMIN service's port - 8443
Following configuration have been input for SSL Settings --
IAM server's SSL key file path - config/certs/auth.jumbocloudservices.com.encrypted.key
Server's SSL key password - ***
Server's SSL cert file path - config/certs/auth.jumbocloudservices.com.crt
Following configuration have been input for Storage Settings --
Domino server hostname - appsdb1.jumbocloudservices.com
Domino Proton service port - 3003
Storage nsf file - iamstore.nsf
key for the client cert - config/certs/iamapp.key
Passphrase of key file - ***
Domino Proton client cert - config/certs/iamapp.crt
Functional ID's Notes password - ***
? Do you want to change some configuration? No, the listed above will be saved to local.properties.
IAM Server setup completed.
NOTICE: The configuration file has been encrypted.
NOTICE: Original configuration file has been renamed to *.[timestamp].bak file, please delete it after confirmation to keep confidential.
In addition, you can review some of the IAM configuration data by inspecting the contents of
the config\local.properties file. For example:
c:\iam>type config\local.properties
logConfig.logLevel = info
providerConfig.ISSUER = https://auth.jumbocloudservices.com:7443/
commonConfig.IAM_SERVICE_HOST =
commonConfig.IAM_SERVICE_PORT = 7443
commonConfig.ADMIN_SERVICE_HOST =
commonConfig.ADMIN_SERVICE_PORT = 8443
sslConfig.SSL_SERVER_KEY_FILE_PATH = config/certs/auth.jumbocloudservices.com.encrypted.key
sslConfig.SSL_SERVER_KEY_PASSPHRASE = <encrypted>....</encrypted>
sslConfig.SSL_SERVER_CERT_FILE_PATH = config/certs/auth.jumbocloudservices.com.crt
dbConfig.dominoConfig.HOSTNAME = appsdb1.jumbocloudservices.com
dbConfig.dominoConfig.PORT = 3003
dbConfig.dominoConfig.DATABASE = iamstore.nsf
dbConfig.dominoConfig.credential.CLIENT_KEY = config/certs/iamapp.key
dbConfig.dominoConfig.credential.CLIENT_KEY_PASSPHRASE = <encrypted>....</encrypted>
dbConfig.dominoConfig.credential.CLIENT_CERT = config/certs/iamapp.crt
dbConfig.dominoConfig.credential.IDFILE_PASSWORD = <encrypted>....</encrypted>
launchConfig.ADMIN_ACCOUNT = <encrypted>....</encrypted>
launchConfig.adminPasswordStorage = ....
launchConfig.passwordStorage = ....
launchConfig.encryptedSecretKey = <encrypted>....</encrypted>
IAM encrypts some of the more sensitive configuration data and this data will appear as a string of random characters.
Start IAM service for the first time
Use the npm start command to start the IAM service. You will be prompted for
the IAM server password.
c:\iam>npm start
> domino-iam-service@1.3.0 start c:\iam
> node iam-server.js
[08:37:59][info][master][master]: IAM version: 1.3.0
Start to unlock config:
? Enter current IAM server password: ********
Config is unlocked.
[08:38:02][info][master][master]: Starts as cluster mode.
[08:38:02][info][stats][master]: IAM StatsClient enabled: false
[08:38:02][info][cluster][master]: Worker 1 is started
[08:38:02][info][cluster][master]: Worker 2 is started
[08:38:06][info][worker][worker-1]: Worker 1 starts to provide service, which process id is: 2088
[08:38:06][info][worker][worker-2]: Worker 2 starts to provide service, which process id is: 836
[08:38:06][info][stats][worker-1]: IAM StatsClient enabled: false
[08:38:06][info][stats][worker-2]: IAM StatsClient enabled: false
[08:38:06][warn][IAMService][worker-1]: LDAP has not been configured yet! Please go to Admin Service to configure it.
[08:38:06][warn][IAMService][worker-2]: LDAP has not been configured yet! Please go to Admin Service to configure it.
[08:38:07][info][initServices][worker-1]: Start IAM service on allAddress:7443
[08:38:07][info][initServices][worker-1]: IAM service serves on port 7443
[08:38:07][info][initServices][worker-1]: Start Admin service on allAddress:8443
[08:38:07][info][initServices][worker-1]: Admin service serves on port 8443
[08:38:07][info][initServices][worker-2]: Start IAM service on allAddress:7443
[08:38:07][info][initServices][worker-2]: IAM service serves on port 7443
At this point the IAM service needs additional LDAP configuration as reported by the console log.
Configure LDAP using the web administration interface
Access the IAM Administration page using the url:
https://auth.jumbocloudservices.com:8443/ Enter the IAM Admin username and
password.
Select the Configuration option.
Enter the following data:
- The LDAPS URL to your Domino server. This is how IAM will make LDAP requests for name lookup operations.
- The Search Base DN. Use your oganization's name.
- The Search fields. This determines how users will be able to authenticate with the IAM service. "mail,cn" indicates either by internet email address or canonical name.
- The Bind DN. We are using the IAM functional id for IAM to authenticate with the Domino server to make LDAP requests.
- The Bind DN Password. This is the IAM functional id's Internet password.
- For Test user, enter a name that you know exists in the Domino directory. This is used to perform a lookup to verify that the LDAP configuration data is valid.
- Advanced Option: For Notes DN Attribute, enter the name of the LDAP attribute that has the Notes DN for the authenticated user. If Domino is the LDAP server, then leave this field blank. Otherwise, enter the field name from the foreign LDAP server that has the Notes DN value.
Click the Verify button.
When IAM is able to verify the LDAP configuration it will report "Verified IdP successfully" and the Save button will become enabled.
Click the Save button.
Restart
You must restart the IAM service to have the changes take effect. Kill the existing instance of the IAM service and start again with the "npm start" command.