Configure Proton as a resource provider
This section describes how to configure Proton so that it can accept and process an
AccessToken
from a Domino-db based application. When Proton receives a Domino-db request
which includes an AccessToken
makes an introspection call to the IAM service
to verify the access token and to obtain the user information associated with the access
token.
Verify the connection to the IAM introspection endpoint
Proton makes the introspection call to the IAM service with an HTTPS request. Run the following command from the Domino server console to verify that it can connect to the IAM service endpoint and to inspect the certificates for the connection.
c:\>echo "badreq" | openssl s_client -connect auth.jumbocloudservices.com:7443 --quiet
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = auth.jumbocloudservices.com
verify return:1
HTTP/1.1 400 Bad Request
Connection: close
read:errno=0
The Bad Request text in the output is expected. You can ignore it.
HTTP/1.1 400 Bad Request
Connection: close
The command above reports the certificates used by the IAM service that it connects to.
Verify that the certificates
reported, except for the last one, are installed into the Domino server keyring file as trusted
roots. This guide uses the keyring file name appsdb1.kyr
.
C:\> kyrtool.exe show roots -k appsdb1.kyr
Using keyring path 'appsdb1.kyr'
Trust Anchors:
Anchor 0 (name)
CN=DST Root CA X3/O=Digital Signature Trust Co.
Anchor 0 (cert)
Subject: CN=DST Root CA X3/O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 09/30/2000 05:12:19 PM
Not After: 09/30/2021 10:01:15 AM
Public Key Alg: rsaEncryption
Fingerprint: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
Key length: 2048 bits
Signature Alg: sha1WithRSAEncryption
Anchor 1 (name)
CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US
Anchor 1 (cert)
Subject: CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US
Issuer: CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 03/17/2016 12:40:46 PM
Not After: 03/17/2021 12:40:46 PM
Public Key Alg: rsaEncryption
Fingerprint: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Key length: 2048 bits
Signature Alg: sha256WithRSAEncryption
...
Configure the resource provider
Use the IAM Admin (e.g. https://auth.jumbocloudservices.com:8443
) to create the
resource provider for Proton.
In this step you provide:
- The Domino Resource Provider name, which is a unique name in IAM Admin.
- The Domino Resource Provider description, which is a free-form description field.
The IAM Admin generates the following data:
- Domino Resource Provider id
- Domino Resource Provider secret
The id and secret are the introspection credentials.
Configure the introspection credentials
This step adds the introspection configuration into the credential store. The introspection configuration includes:
- The configuration name. This name must be configured in Proton.
- The introspection credentials as generated above.
- The introspection URI. This is the URL to IAM service endpoint verified above.
Use the oauthcfg
tool to manage the introspection configuration for the Domino server. Run the tool
from the command line, not the Domino server console. This is some basic help from the tool:
C:\>oauthcfg
Usage: oauthcfg [--version]
Supported commands:
create
delete Delete introspection configuration
list List introspection configurations matching name. Blank name lists all.
Use the following command to create a new introspection configuration entry with the name
proton-addin
.
C:\>oauthcfg create proton-addin 34378bf4-777c-4a7b-9eaa-9e8b630b38c9 LG958uYNQUm7UQyDnIBTUf0dDkQ/Dq4r2HkMRQaPTbUaC40cvTsRUMiy/DJm8QRx https://auth.jumbocloudservices.com:7443/token/introspection
Credentials created successfully
Verify the contents of the introspection configuration using the following command. The Domino Resource Provider secret is not shown.
C:\>oauthcfg list
name:proton-addin id:34378bf4-777c-4a7b-9eaa-9e8b630b38c9 URI:https://auth.jumbocloudservices.com:7443/token/introspection
Configure Proton
Use the following Domino server console commands to enable the Act-as-User feature in Proton and to specify the name of the introspection configuration.
> set config PROTON_ACTASUSER=1
> set config PROTON_IAMCLIENT_CONFIG_NAME=proton-addin
Use the restart task proton
Domino server console command to restart Proton.
> restart task proton
[0648:0002-0BCC] 12/12/2019 08:32:21.09 AM PROTON> Server stopping
[0648:0002-0BCC] 12/12/2019 08:32:21.12 AM PROTON> Server exited
[06A8:0002-06AC] 12/12/2019 08:32:25.98 AM PROTON> Build 0.5.0
[06A8:0002-06AC] 12/12/2019 08:32:25.98 AM PROTON> Server initializing
[06A8:0002-06AC] 12/12/2019 08:32:26.04 AM PROTON> Listening on 0.0.0.0:3003, SSL-ENABLED
[06A8:0002-06AC] 12/12/2019 08:32:26.04 AM PROTON> Server initialized